OkoBot Malware Hijacks Ledger and Trezor Apps to Steal Crypto Recovery Phrases

A Windows malware framework active since April 2025 waits for victims to open their hardware wallet software, then fakes a prompt for the 24 words that unlock everything.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal editorial shot of a small metallic cryptocurrency hardware wallet plugged into a laptop USB port on a dark wooden desk, faint
Share

Key points

  • OkoBot is a Windows malware framework that has been active since April 2025 and now targets cryptocurrency hardware wallets.
  • One OkoBot module injects a fake recovery-phrase prompt directly into the real desktop apps used by Ledger and Trezor wallet owners.
  • The malware sometimes waits until the victim physically plugs in their hardware wallet before showing the fake prompt, making it look legitimate.
  • Anyone who types their 12 to 24 word recovery phrase into that prompt hands the attackers full control of their crypto funds.
  • Hardware wallet makers have long warned that a genuine device will never ask for the recovery phrase inside a computer app.

A malware toolkit called OkoBot has been quietly running on Windows computers since April 2025, and its latest trick is aimed squarely at people who thought they were doing the safe thing with their cryptocurrency.

OkoBot is what researchers call a framework: a piece of malicious software that can load different modules for different jobs. One of those modules, first reported by The Hacker News, goes after owners of hardware wallets. These are the small USB devices, made by companies like Ledger and Trezor, that people buy specifically to keep their crypto offline and out of reach of hackers.

Here is what makes this attack nasty.

On an infected PC, the victim opens the real wallet app they downloaded from the manufacturer. The app looks normal. But OkoBot has injected a fake page into it. That page asks for the recovery phrase, the string of 12 to 24 words that acts as the master key to the wallet.

Sometimes OkoBot waits. It only shows the fake prompt after the victim plugs in their physical wallet device. That timing is deliberate. It makes the request feel like a natural part of using the wallet.

Why would anyone type in their recovery phrase?

Because the request looks like it is coming from software they trust. The app around the malicious page is the genuine one, installed from the real vendor. To an ordinary user, there is nothing obviously wrong. The window has the right colours, the right logo, the right feel.

That is the whole point of the attack. Hardware wallets exist precisely so the recovery phrase never touches an internet-connected computer. The moment those words are typed into a PC, especially one already carrying malware, the wallet is no longer secure. An attacker with the phrase can rebuild the wallet on their own machine and drain the funds.

What crypto owners should do right now

The rule from both Ledger and Trezor has not changed, and this campaign is exactly why they repeat it. A genuine hardware wallet will never ask you to type your recovery phrase into a computer or a phone. Not during setup after the first time. Not to verify anything. Not to unlock a feature. Never.

If a wallet app on your PC shows a screen asking for those words, the safe assumption is that your computer is infected. Do not type the words in. Do not photograph the screen. Move any funds using a clean device, then reset the infected machine.

It is also worth checking how OkoBot gets on to a computer in the first place. Malware frameworks like this one usually spread through cracked software, fake installers, malicious ads, and phishing, where criminals send convincing emails or messages to trick people into downloading something bad. Sticking to official download sources and keeping Windows and antivirus tools up to date closes off most of those routes.

OkoBot is still being tracked, and the crypto-stealing module is only one of the jobs the framework can be told to do. Expect more modules, more targets, and more variants as the operators iterate.

For now, the practical takeaway is small and boring and effective: if a computer asks for your recovery phrase, the computer is lying.

© 2026 Threat Vectr