What Happened
Kaspersky researchers published a detailed technical analysis of OkoBot on July 15, 2026, a Windows malware framework active since April 2025 carrying more than 20 modules and payloads. OkoBot’s most targeted component is a module called SeedHunter. SeedHunter monitors running processes for three hardware wallet management applications: Trezor Suite, Ledger Wallet, and Ledger Live. When one of these applications is detected, SeedHunter hooks the application’s Electron runtime internals and injects a phishing overlay styled to match the legitimate application’s interface. The overlay presents a seed phrase recovery screen. When a user enters their phrase, SeedHunter validates the entry against BIP-39 wordlists and exfiltrates the seed phrase to a command-and-control server inside a JSON payload containing the wallet type, device identifiers, and the phrase itself.
OkoBot’s other payloads harvest browser-stored credentials and cookies from Chrome, Edge, Firefox, and Brave, along with SSH keys, macOS Keychain contents, and standard application passwords. The framework was first observed in April 2025 and remained active as of the July 15, 2026 report date. Researchers confirmed infections across more than 25 countries. Canada ranks in the top five most targeted, alongside Brazil, Vietnam, Mexico, and Türkiye.
Why This Matters for Canadian Organizations
Canada’s cryptocurrency sector is a significant and growing attack target. FINTRAC-regulated businesses — crypto exchanges, digital asset custodians, decentralized finance platforms, and corporate treasury functions holding digital assets — all face direct risk from OkoBot. A single compromised employee endpoint with access to a hardware wallet holding corporate funds puts those assets at total and irrecoverable loss risk. Seed phrase theft is final: there is no account recovery process, no fraud dispute mechanism, and no chargeback. The attacker who obtains a seed phrase controls the wallet permanently.
Beyond direct crypto theft, OkoBot’s credential-harvesting payloads extend the attack surface across the compromised organization. Browser-saved passwords, SSH keys, and corporate application credentials exfiltrated from a finance team member’s workstation enable follow-on access to internal systems, client accounts, and cloud infrastructure. PIPEDA requires organizations to report breaches posing significant risk of harm. An OkoBot compromise resulting in financial loss or corporate credential exposure meets the notification threshold. OSFI B-13 requires federally regulated financial institutions to maintain robust endpoint controls and detect anomalous process injection — a class of behavior OkoBot exhibits at runtime.
What to Do
Enforce a written policy prohibiting personal or corporate hardware wallets on any device connected to corporate networks or used for work activity. Audit endpoint detection and response controls for process injection detection capabilities, particularly injection into Electron-based application processes. Review endpoint logs for OkoBot indicators of compromise from Kaspersky’s Securelist analysis. Apply application control policies to block unsigned DLLs from loading into known legitimate application processes. If OkoBot is detected on a managed device, treat it as a potential full credential compromise, rotate all affected credentials, and assess PIPEDA breach notification obligations before determining scope.
Source: The Hacker News






