New malware campaigns target crypto investors and Web3 developers
Cybersecurity researchers have uncovered highly targeted malware operations designed to steal digital assets and credentials from both crypto investors and blockchain developers, highlighting an escalation in operational risk for the sector.
Cybersecurity firms Kaspersky and SlowMist have separately detailed sophisticated malware campaigns targeting cryptocurrency holders and Web3 developers. The operations employ advanced social engineering to bypass traditional security defenses and directly drain digital funds or compromise critical infrastructure.
Kaspersky identified a malware framework dubbed OkoBot that has been actively targeting crypto investors since January 2026. The malware uses social engineering tactics like ClickFix or trojanized GitHub applications to establish a backdoor on a device. Once inside a system, it harvests crypto wallet files, browser data and user credentials. Attackers can also inject malicious browser extensions and capture wallet application windows to facilitate asset theft.
OkoBot evolved from a 2025 campaign known as TookPS. It represents a technical leap by routing 20 distinct malicious payloads through an SSH tunnel, allowing attackers to quietly transport stolen data from infected computers to remote servers. Kaspersky warned that this framework's structure opens the door for copycat attacks by other criminal groups.
A separate campaign flagged by SlowMist targets the human element of Web3 infrastructure: its developers. Attackers are posing as recruiters on LinkedIn and contacting blockchain engineers. They send fake GitHub repositories under the guise of a minimum viable product that candidates must test prior to a technical interview.
Because the process closely mirrors a legitimate development workflow—pulling code, installing dependencies and launching a project—the malware is exceptionally difficult to detect. It delivers a remote access trojan designed to steal project keys, cloud credentials and wallet extension data. “This attack is not an isolated case,” SlowMist wrote, noting that attackers are increasingly using “recruitment, code reviews and project collaborations to trick developers into actively running malicious repositories.”
For institutional investors and fund managers, these campaigns materially elevate operational risk. A compromised developer could expose the private keys of an entire decentralized finance protocol. Meanwhile, retail-focused malware like OkoBot threatens direct financial losses for market participants.
The threat environment is expanding across platforms. Just a day before its LinkedIn report, SlowMist warned of a separate malware campaign targeting macOS users. That operation steals credentials and hijacks Telegram sessions to trick investors into entering wallet recovery phrases on fake websites, further illustrating the lengths to which attackers are going to bypass standard security measures.