Trezor hardware wallet confirming a Bitcoin transaction

The Wallet App Can Be Real and the Seed-Phrase Prompt Can Still Be Fake

July 18, 2026 2:27 pm Comments

The most dangerous request in crypto can now appear inside software you genuinely installed.

Security researchers have uncovered a Windows malware framework that can inject a counterfeit wallet-recovery screen into the real Ledger Live or Trezor Suite application.

The app is authentic. The recovery request is not.

If the victim types a seed phrase into that screen, the malware sends it to the attackers. At that point, the hardware wallet no longer matters: the words can recreate the wallet somewhere else.

That is what makes OkoBot different from the usual fake-download trap. It does not always need to persuade someone that an imitation wallet app is real.

It can compromise the Windows computer first, wait for the legitimate app to open and place the lie inside a trusted window.

Kaspersky’s Global Research and Analysis Team published the technical findings this week after reconstructing a four-stage operation with more than 20 malicious payloads and implants.

The campaign has been active for more than a year and was still evolving when the researchers published their report.

The investigation began in January after analysts found several attacks capturing the contents of cryptocurrency-wallet windows. They traced the larger operation back through TookPS activity first observed in March 2025 and found that its delivery chain had been redesigned by late April.

A newer version appeared in March 2026 with components removed, replaced and pushed through a plugin dispatcher. That evolution, plus live command infrastructure at publication, led Kaspersky to describe OkoBot as an actively maintained framework rather than a single abandoned sample.

Nothing in the findings shows that Ledger or Trezor hardware cryptography was broken. The operation compromises the Windows host and targets the person operating the device.

That distinction is reassuring only up to a point.

A hardware wallet is built to keep private keys away from an internet-connected computer. It cannot protect a recovery phrase that its owner voluntarily types into malware.

OkoBot’s path onto a computer can begin far away from a wallet.

Kaspersky identified two main entry routes: ClickFix social engineering and malicious software on GitHub disguised as a legitimate program.

ClickFix attacks typically present a fake problem and then instruct the user to copy or run a command that supposedly repairs it. The “fix” is the infection.

In one OkoBot example, a GitHub repository posed as a download for Microsoft SQL Server Management Studio. The package was actually a legitimate copy of the Audacity audio editor compiled with a malicious implant hidden in one of its libraries.

The repository looked polished, used an official-style installation guide and ranked prominently in search results for the software name. It existed from late March through June 2025.

That old repository is no longer the current threat. It shows how the operators earned the first moment of trust.

Both infection routes launched a malicious PowerShell downloader called TookPS. From there, the attack installed and configured SSH, connected the victim’s machine to attacker-controlled infrastructure and opened a path for an automated bot to come back later.

The bot gathered the Windows username, antivirus software, IP address and operating-system details. It harvested wallet files, browser cookies, profiles and other credentials through the tunnel.

It also disabled Windows Defender notifications, opened Remote Desktop access, created another user and established persistence through an hourly scheduled task named “Apple Sync.”

The friendly name hid a reverse tunnel that kept remote access alive.

OkoBot was not designed as a single wallet stealer. It was built as a modular control system that could deliver different tools after the computer had already been compromised.

Researchers found command-line and PowerShell modules, an environment scanner, a downloader and a process injector. Four additional implants handled hidden browser extensions, seed-phrase theft, keylogging and screen recording.

The seed-stealing component is called SeedHunter.

It watches for Trezor Suite, Ledger Wallet and Ledger Live processes, then injects code into the Electron framework used by those desktop applications.

The attackers can order the fake recovery page to appear immediately. They can also tell SeedHunter to wait.

In waiting mode, the malware scans for the USB identifiers associated with a connected Ledger or Trezor device. Once it sees one, it displays a wallet-specific recovery page inside the running app.

That timing is the weapon.

A person who just plugged in a hardware wallet is primed to believe that the next screen is part of a normal device check. The malware turns a real physical action into evidence for a fake software request.

Simply connecting the device does not reveal the seed.

The theft occurs when the victim enters the recovery words into the counterfeit form. SeedHunter then sends the phrase to its command server with information about the wallet app, device and malware build.

It also stages an encrypted copy on the infected computer.

That boundary matters because it leaves the user one decisive chance to stop the attack.

An unexpected seed or wallet-backup request should end the session. Do not type the words.

Disconnect the hardware wallet, take the Windows machine offline and treat the computer as compromised until it has been properly examined or rebuilt.

The infection can still do damage even if the recovery screen fails.

OkoBot includes a keylogger that records typed input, clipboard activity, connected USB devices and screenshots. Another implant, OkoSpyware, can record video and keystrokes from the windows of more than 100 applications.

Kaspersky specifically identified Exodus, Litecoin QT, KeePassXC and 1Password among the watched programs. The spyware also looks for browser-window titles associated with MetaMask and Tonkeeper.

Those examples are not a complete target list. They show that the operation reaches beyond two hardware-wallet brands and into the wider collection of tools a crypto owner may use.

The hidden browser-extension loader adds another layer. It can install malicious extensions into Chromium-based browsers, grant permissions and hide the extensions from the normal installed-extension view.

That gives OkoBot several routes to valuable data: a recovery phrase, an unlocked password manager, browser credentials, wallet files, clipboard contents or a remote desktop session.

Kaspersky detected hundreds of affected users across more than 25 countries between April 2025 and June 2026. Brazil, Vietnam, Canada, Mexico and Türkiye were the leading countries named in its telemetry.

Those figures are not a global victim census.

The researchers did not publish an exact infection total, a count of stolen recovery phrases, a drained-wallet total or a dollar-loss estimate. “Hundreds of victims” describes what Kaspersky observed, not every machine OkoBot may have reached.

The operators also remain unidentified.

Kaspersky found clues associated with Russian-speaking crimeware circles: servers blocked connections from Russia and other Commonwealth of Independent States countries, one component circulates on Russian-language criminal forums and Russian comments appeared in the seed-phishing source code.

Those signals do not prove a nationality, a named criminal group or state sponsorship. Kaspersky said it could not attribute the campaign to a known actor.

The more useful conclusion is operational.

Owning a hardware wallet does not make an infected computer safe. Verifying a download once does not make everything later displayed inside the application trustworthy.

The computer and the signer are separate security zones, and OkoBot attacks the seam between them.

Ledger’s own security guidance says the Ledger recovery phrase should never be entered into an application, computer, smartphone or other internet-connected device. The company says the genuine Ledger Live app will not request it.

Ledger says the words belong only on a legitimate hardware wallet during a recovery the owner intentionally starts. Saving them in a photo, note or encrypted computer file still exposes them to malware running on an ordinary internet-connected machine.

The company also treats even brief entry on an internet-connected device as a permanent security failure for every account derived from those words. Its recommended response is to move the assets, reset the signer, generate a new phrase and never reuse the words that touched the computer.

Trezor recovery procedures vary by device, which is why blanket advice about every word-entry screen can be misleading. A legitimate recovery is a process the owner deliberately starts and should be performed only through the exact steps for that model on Trezor’s official support site.

A surprise recovery request that appears after an ordinary connection is not a reason to improvise.

If a recovery phrase has already been typed into an internet-connected computer, assume it is exposed. Ledger recommends moving the assets to a new wallet generated with a new phrase, using a clean and trusted environment.

Speed matters, but so does avoiding a second mistake. Reusing the exposed words on a newly reset device does not make them secret again.

The infection route deserves the same attention as the wallet request.

Download desktop tools from the vendor’s official domain, not a search result or a repository that merely looks professional. Do not paste commands from a pop-up “fix.” Keep Windows and security software updated, and do not disable protection because an installer says it is necessary.

Transaction approval still belongs on the hardware device. Check the destination and amount on the signer’s own screen instead of relying on the computer alone.

OkoBot succeeds by borrowing trust from real things: a real app, a real USB connection, a real GitHub page and a real piece of software carrying a hidden implant.

The defense begins with one rule that survives all of those disguises.

If a computer asks for the words that can recreate the wallet, the answer is no.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.