Crypto World
UK Sentences Two Tied to $115M Crypto Ransom, Public Transport Breach
The United Kingdom National Crime Agency (NCA) and City of London Police said two men associated with the “Scattered Spider” hacking group were sentenced to five years and six months in prison.
The two pleaded guilty during their first court appearance at Woolwich Crown Court on June 22 and were sentenced on Thursday, according to a press release from the NCA.
British authorities said the pair were part of the Scattered Spider cybercrime group, which investigators have linked to high-profile ransomware and cryptocurrency extortion attacks targeting companies in the UK and the US.
The hacking group was linked to the infiltration of London’s public transport network in September 2024, leading to a reported 29 million British pounds ($38.9 million) in losses and recovery costs.
US prosecutors linked the Scattered Spider group to collecting $115 million in crypto ransom payments from at least 47 US companies, according to a September press release from the Department of Justice (DOJ).
The group was also accused of breaching Caesars Entertainment and stealing a large customer database in September 2023, prompting the company to pay a $15 million ransom in Bitcoin (BTC).
US prosecutors said the group’s attacks disrupted businesses and organizations nationwide, including critical infrastructure and the federal court system.

Source: Dark Web Informer
Related: MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
FBI seized $36 million from Scattered Spider-linked wallets
In July 2024, the FBI seized about $36 million worth of cryptocurrency from Scattered Spider-linked wallets, according to the DOJ’s September release.
According to the DOJ, investigators linked the group to at least 120 computer network intrusions. It said the FBI traced and seized digital assets tied to wallets allegedly controlled by members of the group as part of its investigation.
“These malicious attacks caused widespread disruption to US businesses and organizations, including critical infrastructure and the federal court system, highlighting the significant and growing threat posed by brazen cybercriminals,” said Matthew Galeotti, then acting assistant attorney general of the Justice Department’s Criminal Division.
Magazine: Does Botanix’s failure prove Bitcoiners don’t care about DeFi?
Crypto World
France Blocks Polymarket Ahead of World Cup 3rd Place Match
France’s gambling regulator has ordered internet providers to block access to Polymarket. The order comes days before Les Bleus face England in the FIFA World Cup 2026 bronze medal match.
The National Gambling Authority, known as the ANJ, has labeled the platform an illegal betting operation. It also flagged manipulation risks just as the prediction interest around the fixture builds.
France’s Regulator Moves to Cut Off Access
The ANJ’s president instructed French internet providers to block Polymarket entirely, calling the platform’s offering illegal. The regulator said Polymarket attracts a particularly large audience while promoting an illegal gambling and betting offering.
The agency also flagged manipulation risks tied to some Polymarket wagers. That adds pressure on a platform facing scrutiny across Europe’s Polymarket bans. The Netherlands already threatened steep fines earlier this year.
A Pattern Stretching Well Beyond France
France now joins a lengthening list of regulators pushing back. Kentucky’s attorney general filed a prediction market lawsuit against Polymarket and Kalshi this year. Australia tightened gambling ad restrictions around live sports broadcasts.
Polymarket, meanwhile, has kept courting friendlier jurisdictions. The company is reportedly pursuing a Japan approval push, targeting Tokyo by 2030.
The split shows a clash between wary regulators and Polymarket. Regulators worry about consumer harm. Polymarket insists its contracts serve legitimate price discovery, not gambling.
Bettors Still Favor Les Bleus
None of that scrutiny has cooled interest in today’s third-place playoff. That mirrors a broader surge in World Cup prediction markets throughout the tournament. Polymarket’s live market prices France at 67 cents to beat England. That implies roughly a 67% chance for Les Bleus.
The French ban does not reach bettors abroad. But it signals regulators are no longer willing to wait for prediction markets to police themselves. Whether Polymarket adapts its French offering or simply walks away remains an open question heading into kickoff.
The post France Blocks Polymarket Ahead of World Cup 3rd Place Match appeared first on BeInCrypto.
Crypto World
Here Are Four Important Crypto Stories You Might Have Missed This Week
It’s easy to get lost in the sea of news coming daily in the cryptocurrency world, from bitcoin price volatility to regulatory battles in Washington and everything in between. Sometimes, interesting stories are just passed by.
Here are four of the most intriguing news developments that went live in the past week and you might have missed.
North Korea-Linked Dev at MetaMask
According to an internal script obtained by Drop Site News, Consensys, the entity behind the popular Ethereum wallet MetaMask, confirmed that a consultant introduced through a third-party provider was later found to have links to North Korea. The reason for concern is that the country’s authorities have long employed hackers to infiltrate popular cryptocurrency projects, find or insert vulnerabilities, and later exploit them for their own benefit.
The developer in question worked with MetaMask for about a month and contributed to code related to the wallet before their access was terminated. Consensys said it temporarily suspended product releases to investigate the incident but found no evidence that assets or data were stolen, malicious code was deployed, or users were affected.
Knaken Goes Bankrupt
A Rotterdam court declared the local crypto exchange Knaken bankrupt after prosecutors alleged that approximately €7 million ($7.6 million) in customer funds were missing and could not be accounted for. Users were unable to access the platform for approximately a month since it halted operations in June.
The court concluded that Knaken did not have enough assets to repay all customers. This collapse comes at an intriguing time as the European Union just implemented its MiCA requirements, and it raises questions about how effectively the new regulatory framework can protect customers from platforms operating without the required authorization.
Injective Submits TA-1
The team behind the popular blockchain project said they submitted Form TA-1 to the US SEC to register as a transfer agent. If approved, Injective could maintain official ownership records for tokenized securities directly on-chain.
Transfer agents traditionally record ownership changes, process transfers, and help issuers maintain shareholder records. However, Injective’s new approach aims to represent a practical attempt to connect public blockchains with regulated US capital markets rather than simply using unregulated stock representations.
Injective has filed its transfer agent registration with the SEC, marking a major step towards becoming a leading blockchain with a regulated pathway to issue securities onchain.
This advances RWA market infrastructure in the New Internet Economy, right here in the US. pic.twitter.com/u97CMk1rBT
— Injective
(@injective) July 16, 2026
Robinhood Chain Gains ETH Traction
Robinhood Chain’s first couple of weeks of existence have been quite overwhelming, especially for Ethereum. Reports emerged a few days ago that over $70 million worth of the altcoin was already bridged to the newly launched chain.
These significant early inflows suggest impressive interest in the new ecosystem, but the real test will be whether the liquidity remains after this initial hype period and develops into sustained trading and application usage. Is this indeed demand for tokenized assets rather than short-term speculative activity?
The post Here Are Four Important Crypto Stories You Might Have Missed This Week appeared first on CryptoPotato.
Crypto World
$2.5 billion in BTC call spreads target $72,000 by the month end when the Fed meets
“This week we have seen some large blocks in BTC topside call spreads,” Jean-David Péquignot, chief commercial officer at Deribit, told CoinDesk.
Options flow of this size and repetition often reflects institutional positioning rather than retail activity, given the capital required and the precision of the strike selection.
The timing is notable for two reasons. First, it suggests confidence in bitcoin’s recent bounce to $64,000 from under $58,000 earlier this month. More importantly, the trade targets the July 31 settlement, two days after the Federal Reserve’s July 29 interest rate decision. The call spread flow suggests that at least some large traders expect the meeting to serve as a catalyst for a move toward $72,000.
Fed funds futures currently point to a hold at the July meeting, with most trackers putting the probability of the central bank keeping its benchmark rate unchanged at 3.5%-3.75% in the 75%-80% range. The remaining odds are split between a rate hike and, to a lesser extent, a cut.
Rate-hike fears have ebbed following June inflation data, which showed a sharp deceleration in price pressures at both the consumer and producer levels. Much of the relief traces to a sharp pullback in oil prices during the month, tied to a ceasefire between the U.S. and Iran; core inflation, which strips out food and energy, was flat.
Crypto World
Analyst Says Long-Term Bullish Setup Could Take Ethereum to $22K
Ethereum (ETH) could be entering the final stage of a long-term bullish pattern that eventually sees it go as high as $22,000, according to new analysis shared by pseudonymous crypto commentator NoName on July 17.
While the projection is highly speculative, it has added to a growing debate over whether ETH’s June lows marked the start of a broader recovery.
Analyst Points to Long-Term Chart Patterns After ETH Rebound
According to a chart the market watcher shared on X, since 2021, Ethereum has been building what technical analysts call an expanding diagonal, consisting of five waves, with each successive wave becoming larger than the last one. They pointed out that the first four waves were already done, with the fourth having found support between $1,072 and $1,385.
“That’s the floor this entire structure was building toward,” NoName explained, adding that expanding diagonals often end with a fifth wave that breaks above the previous cycle high. They also compared ETH’s structure to a historical Dow Jones Industrial Average (DJIA) fractal and said that both charts have a similar formation and could produce a similar breakout. Based on that interpretation, the projected target is anywhere from $12,000 to $22,000.
“Same structure, same resolution,” wrote the analyst. “Wave 5 target: 12k-22k.”
They also described ETH as “one of the most underpriced assets on the market” currently, suggesting that many people had given up on it, which could create an opportunity for long-term investors.
Another analyst, Crypto Patel, reached a similar conclusion using a different framework. In his version, he said that Ethereum has been following a Wyckoff accumulation pattern that could eventually lift the asset toward $10,000 by 2027 or 2028, provided the recent swing low around $1,500 remains intact. The trader also identified resistance between $2,400 and $2,600 and called it the first major hurdle the world’s second-largest cryptocurrency will have to overcome before any larger advance in its price could begin.
CryptoQuant contributor CW8900 also struck an optimistic note, sharing data showing that Ethereum wallets holding more than 100,000 ETH have gone back to green following the latest rebound. According to him, whales have only fallen into loss during major market bottoms, and their return to profit on many occasions has coincided with either a sustained rally or a meaningful short-term recovery.
The Other Side of the Coin
In June, ETH went very close to the $1,500 level, but softer-than-expected US inflation data released this week helped push it up to its highest level in a month and a half at $1,940 before sellers dragged it back below $1,900.
At the time of writing, CoinGecko data showed the asset trading close to $1,800, having dropped by about 5% in 24 hours but still up more than 3% during the past week.
But while those recent gains have improved sentiment, the market is not all rowing in the same direction. According to analyst Crypto Rover, a repeating 1,369-day cycle points to a scenario where ETH could move back below $1,500 before a lasting bottom forms.
The post Analyst Says Long-Term Bullish Setup Could Take Ethereum to $22K appeared first on CryptoPotato.
Crypto World
AI Future Forum 2026 in Dubai!
On December 1–2, 2026, in Dubai, alongside Blockchain Life 2026 — one of the world’s largest events for Web3, crypto, mining, and AI — the all-new AI Future Forum takes the stage.
Expect visionary founders, global investors, breakthrough AI projects, robotics, and the technologies that will shape the next decade of the digital economy.
With 15,000+ attendees from 130+ countries and 200+ industry-leading speakers, the AI Future Forum is set to become the world’s premier destination where AI, Web3, and crypto leaders come together to shape what’s next.
What awaits participants?
🔹 A full week of live networking with key players from around the world: 2 days of the forum, hundreds of side events, exclusive meetings, and the Formula 1 Grand Prix Final.
🔹 200+ top speakers: leading AI experts, founders of technology companies, investors, representatives of top AI startups, and leaders of the digital industry. The focus will be on the practical application of AI, its integration with crypto and business, and the technologies shaping the new digital economy.
🔹 A large-scale expo zone: 200+ leading companies in robotics, AI development, Web3 projects, and the most progressive startups.
🔹 The legendary AfterParty at one of Dubai’s top clubs with a globally known headline artist.
🔹 Startup Pitch – an opportunity to present your project to the international community and attract attention from investors and funds.
🎟️ One ticket. Two world-class events.
Exclusive limited offer! AI Future Forum ticket includes full access to Blockchain Life 2026.
🔥 Get 10% off with promo code WEB3DIGITAL before the prices go up:
Crypto World
Tokenization has become a strategic priority for 84% of financial firms
On Wednesday, DTCC completed its first live production trades involving tokenized securities, marking a major step toward bringing blockchain technology into traditional financial markets.
Broadridge’s findings suggest those efforts are influencing the broader industry. Sixty-eight percent of respondents said tokenization will at least partially reshape financial markets within the next three to five years, while nearly one-third plan to increase investment in tokenization projects by 26% to 50% or more over the next two years.
The survey also found firms are not preparing for an all-onchain future. Instead, 92% expect digital and traditional assets to coexist for the foreseeable future, and 69% plan to integrate tokenization into existing infrastructure rather than build separate blockchain-native systems.
That mirrors the approach taken by many large financial institutions, which have generally focused on connecting blockchain networks to existing trading, custody and settlement systems instead of replacing them.
Adoption remains uneven across the industry. Forty-four percent of capital markets firms said they already have tokenization initiatives in production or operating at scale, compared with 20% of asset managers and 9% of wealth managers.
The survey also pointed to where firms expect tokenization to gain traction first. About 80% of respondents believe tokenized mutual funds and money market funds will play a meaningful role within five years, reflecting the rapid growth of tokenized Treasury products. By comparison, only about half expect tokenized equities to achieve similar adoption over that period.
Crypto World
Kaspersky Flags Malware Framework Targeting Crypto Investors
Cybersecurity researchers are flagging a fresh wave of malware tactics aimed at people who hold, build, and advise on crypto-related software. Kaspersky, for instance, says it has discovered a new malware framework—dubbed OkoBot—that targets cryptocurrency investors by combining social engineering with data theft capabilities.
At the same time, SlowMist warns of a separate intrusion campaign that targets Web3 developers through seemingly legitimate recruitment messaging on LinkedIn, pushing victims to run poisoned code hosted on GitHub. Together, the incidents underscore how attackers are increasingly using everyday work routines—interviews, code trials, and app installs—as delivery mechanisms for malware.
Key takeaways
- OkoBot is designed to steal crypto-related data by harvesting wallet files, browser information, credentials, and injected browser or extension activity.
- Kaspersky says it has observed multiple OkoBot-linked attacks since January 2026, and that the framework evolved from an earlier campaign called TookPS.
- OkoBot’s infrastructure reportedly routes all payload delivery through an SSH tunnel, enabling remote data transport to attacker-controlled systems.
- SlowMist reports LinkedIn-based “recruiter” scams that deliver malicious GitHub repositories disguised as technical interview tasks for Web3 developers.
- The recruitment workflow mirrors legitimate developer interviews closely enough to lower suspicion, increasing the chance victims will run the malicious code.
OkoBot targets crypto holders through wallet and browser theft
In a report released this week, Kaspersky described OkoBot as a malware framework that kickstarts an infection chain using social engineering and “malicious app” delivery tactics. According to Kaspersky, the initial entry includes tricks such as ClickFix, which aims to persuade users to execute harmful commands, as well as trojanized GitHub applications that can introduce a backdoor to a compromised device.
Once a system is under attacker control, Kaspersky says OkoBot is capable of collecting sensitive information that is directly relevant to crypto ownership. The company reports that the malware can:
- Harvest cryptocurrency wallet files.
- Extract browser data and user credentials.
- Inject malicious extensions.
- Capture wallet application windows, potentially enabling theft through on-screen or session-related data.
Kaspersky also stated that it identified multiple attacks using this malware family since January 2026. For investors, the practical concern is not only that wallets could be accessed, but also that browser activity and stored authentication data can be used to move faster toward account takeovers or transfer operations.
How the infrastructure works: payload orchestration via SSH
A notable detail in Kaspersky’s analysis is that OkoBot allegedly differs from prior campaigns by how it manages its malicious payloads. Kaspersky said the framework orchestrates all 20 malicious payloads via an SSH tunnel, which supports remote transport of data from compromised computers to systems controlled by attackers.
That matters because it points to an operational model where the attacker retains strong control over follow-on stages after initial compromise. Instead of relying solely on static behavior, a tunneled architecture can help attackers adapt to victims and collect information more reliably, depending on what the malware finds on each host.
Kaspersky also described OkoBot as an evolution of TookPS, a malware campaign first identified in 2025 that distributed a Trojan downloader through fake software websites. By evolving from an earlier delivery approach and adding more coordinated payload handling, the OkoBot framework appears positioned to increase both infection success and post-compromise effectiveness.
LinkedIn recruitment scams push Web3 devs into running poisoned repositories
Separate research from SlowMist focuses on a different target set: Web3 developers. In a report published on Saturday, the firm said attackers are reaching developers through LinkedIn messages that impersonate Web3 recruiters.
SlowMist’s description of the workflow suggests attackers are deliberately choosing a high-trust, familiar entry point. After initial contact, victims are sent what appear to be fake GitHub repositories, framed as a “minimum viable product” that the developer should install and try before an interview.
The technique is effective, SlowMist argues, because it resembles a real technical interview process. The report notes that a legitimate developer workflow often involves pulling code, installing dependencies, and launching a project—steps victims naturally perform while preparing for an interview. In that environment, malicious code can be less obvious, especially if the victim does not expect a security risk from a repository “connected” to a recruiting conversation.
What attackers aim to steal from developer systems
SlowMist said the end goal is to deliver a complete remote access trojan to the victim’s device. Once established, the malware could enable attackers to steal sensitive materials associated with development and operations, including project keys, cloud credentials, or data tied to wallet extensions.
SlowMist also emphasized that the recruitment approach is part of a broader pattern: attackers are increasingly leveraging scenarios such as recruitment, code reviews, and project collaborations to trick developers into running malicious repositories. In other words, this is not only about deception, but also about timing—waiting for the moment a developer is likely to execute code as part of normal work.
Importantly, this LinkedIn-focused warning came after SlowMist reported another campaign targeting macOS users. That earlier effort, as SlowMist described it, aimed to steal credentials and hijack Telegram sessions in order to coerce victims into submitting wallet recovery phrases through fake websites. While the TTPs differ between the campaigns, both point to the same underlying threat: attackers are methodically chaining social engineering and credential theft to ultimately compromise crypto access.
Going forward, both reports suggest readers should watch for more “legitimate-looking” pathways into compromise—especially where code execution is requested via recruiters, interview workflows, or third-party repositories. For investors and developers alike, the immediate question is not only whether malware is present, but whether attackers can leverage everyday trust and authenticated sessions to reach wallet-relevant secrets quickly.
Crypto World
Adam Back Talks About Bitcoin BIP-110 Controversy. “Satoshi Was Not Retarded”
Adam Back, Blockstream’s CEO, dismissed claims that Satoshi Nakamoto backed BIP-110, a contested Bitcoin (BTC) soft fork proposal. He mocked its backers on X for failing to fund what he called a cypherpunk summer celebration.
The exchange unfolded on July 18, 2026, as the debate over BIP-110 proposal approaches a critical signaling deadline. Back predicted the fork attempt would collapse within weeks of that deadline.
Adam Back Questions the Satoshi Assumption
A user on X argued Nakamoto would still back BIP-110 if he were alive today. Back rejected the premise outright. He then questioned whether Nakamoto is even dead, calling it pure speculation either way.
Back also denied being Nakamoto himself. The remark reopened a long-running debate over Bitcoin governance and who speaks for its founding vision. Back has weighed in on this dispute before, in his earlier fork risk warning.
Bitcoin, meanwhile, traded near $63,944 on the Bitcoin price chart, up 1.43% in 24 hours.
BIP-110 Struggles to Gain Miner Support
BIP-110 would temporarily cap the size of arbitrary data miners can embed in Bitcoin transactions, targeting Ordinals-style inscriptions. However, miner backing has stayed minimal so far. Signaling data show just 0.86% of blocks in the current difficulty period support the proposal. That is far short of the 55% threshold needed for lock-in.
Back mocked the proposal’s backers directly, pointing to their failure to monetize the campaign.
sad part is we didnt manage to get the 110 fork to pay for the cypherpunk summer afterparty. no airdrop, no liquidity, no fork futures. no money where their mouth is. ofc as they too know it’s failed.
The comment, meanwhile, echoes the long-running BIP-110 dispute that has split developers for months.
What Happens When Signaling Turns Mandatory
Mandatory signaling begins around block 961,632, roughly three weeks from Friday’s chain tip near block 958,529. Back predicted the fork would stall almost immediately afterward.
He said the first mandatory signaling block would trigger an automatic split. Bitcoin nodes always follow the chain with the most cumulative work.
Miners would have little reason to keep mining once their chain fell behind, Back said. He compared the abandoned fork to a “Pompeii chain,” frozen as a monument to the attempt’s failure.
The prediction follows Back’s earlier pushback against separate claims that Bitcoin would effectively fire noncompliant miners in August.
It also lands alongside renewed chatter about Satoshi’s dormant coins, another flashpoint in the identity debate.
Whether BIP-110 activates or fades away may hinge on how many miners flip the switch once signaling turns mandatory.
The post Adam Back Talks About Bitcoin BIP-110 Controversy. “Satoshi Was Not Retarded” appeared first on BeInCrypto.
Crypto World
SpaceX Stock Sinks Below IPO Price: The Hype Is Over?
SpaceX (SPCX) shares slipped below their $135 initial public offering (IPO) price this week. The stock had peaked above $200 in the weeks following its record Nasdaq debut. Elon Musk dismissed the retreat and predicted the company will eventually outvalue Earth itself.
The stock was priced at $135 a share in June, raising $75 billion in the largest IPO on record. It has now lost roughly a third of its value from that peak. Short interest surged as the price fell.
SpaceX’s Bold Claim Meets a Falling Stock
Musk’s forecast followed a SpaceX stock crash that wiped billions from his fortune this month. Musk responded directly to entrepreneur Peter Diamandis on X.
Diamandis argued that all owned material wealth on Earth totals about $600 trillion. Space, in his view, holds nearly infinite quantities of the same resources.
Musk’s math rests on that comparison, though it hinges on SpaceX reaching goals he never specified. The claim, however, is not new. Musk floated a similar SpaceX outvalue Earth argument earlier this month, well before the stock tested its IPO floor.
Short Sellers Draw Musk’s Ire
Bearish bets against SpaceX climbed sharply as the stock fell. Short interest reportedly reached about 185 million shares, or 29% of the tradable float.
That figure stood at roughly 40 million shares just three weeks earlier. It represents close to $25 billion in bearish wagers. Short sellers already hold an estimated $8.7 billion in paper profits.
The rapid buildup followed SpaceX’s historic IPO, which also sparked a rally in tokens tied to Musk, including Dogecoin. One widely shared post mocked the Ivy League pedigrees of short sellers. Musk then issued a warning of his own on X.
He offered no evidence for that claim, and the stock kept sliding regardless.
What Comes Next for SpaceX
The stock now trades near a level flagged in a recent falling wedge pattern. That pattern points to a possible rebound toward $158. Investors will also watch August share unlocks. That date lets insiders sell shares for the first time since the IPO, adding potential fresh supply.
SpaceX also scrubbed a Starship test flight this week. Automated safety systems halted the countdown at T-minus zero after several Raptor engines failed to ignite. Musk said two engines need replacement, with the next attempt likely early the following week.
Musk has separately argued that the scarcity of goods and services will eventually disappear. It reflects a related piece of his broader worldview on abundance.
That vision, though, remains untested against SpaceX’s near-term performance. Short sellers, meanwhile, appear willing to bet against the stock before the unlock date arrives.
The post SpaceX Stock Sinks Below IPO Price: The Hype Is Over? appeared first on BeInCrypto.
Crypto World
Kaspersky Flags Malware Framework Aimed at Crypto Investors
Two separate cybersecurity reports point to a growing trend in crypto-related malware: attackers are no longer relying only on obvious phishing emails. Instead, they are moving closer to the workflows people already use—recruiting pipelines, developer code trials, and wallet-related software behavior.
Kaspersky says it has uncovered a cryptocurrency-targeting malware framework dubbed “OkoBot,” which initiates an infection chain through social engineering, malicious commands, and trojanized GitHub applications. Separately, SlowMist describes a campaign aimed at Web3 developers that starts with fake LinkedIn recruitment offers and ends with poisoned repositories designed to deliver remote access.
Key takeaways
- Kaspersky links the OkoBot framework to wallet theft activity, including harvesting wallet files and capturing browser and credential data.
- OkoBot is designed to steal assets by injecting malicious browser extensions and collecting wallet application windows, Kaspersky reports.
- SlowMist warns that fake “recruitment” messages are being used to trick developers into running malicious GitHub repositories that resemble legitimate interview tasks.
- SlowMist says the campaign’s goal is to deliver a remote access trojan that can exfiltrate project keys and cloud or wallet extension data.
- Both reports emphasize social engineering paths—ClickFix-like tactics or developer-targeted collaboration scenarios—that make the attacks harder to spot.
Kaspersky: OkoBot targets crypto investors through wallet and credential theft
In a report released this week, Kaspersky describes OkoBot as a malware framework built to compromise cryptocurrency investors by chaining together multiple stages of intrusion. The first step is not purely technical; it relies on social engineering methods intended to get victims to act.
According to Kaspersky, initial access can come from tactics such as ClickFix, a technique that aims to trick users into running malicious commands. Alternatively, attackers may deliver similar outcomes by distributing trojanized GitHub apps that include backdoors once installed.
After gaining a foothold, Kaspersky says OkoBot has capabilities specifically relevant to crypto users and their systems. The malware can harvest crypto wallet files, collect browser data and user credentials, and manipulate the victim’s environment by injecting malicious extensions. It also reportedly captures wallet application windows, which can give attackers a more direct path to stolen assets than credential theft alone.
Kaspersky added that it has observed multiple attacks involving the OkoBot malware family since January 2026, suggesting the framework is not a one-off operation but part of an active campaign.
Evolution from TookPS: more orchestration, more reach
Kaspersky also frames OkoBot as an evolution of a prior threat. The company says the malware framework evolved from “TookPS,” a campaign first identified in 2025 that distributed a Trojan downloader via fake software websites. That earlier stage matters because it signals a progression in how attackers deliver and manage malicious payloads: from initial trickery and download into a more structured compromise process.
A distinctive operational detail in Kaspersky’s account is how OkoBot manages its payloads. The report states that it orchestrates all 20 malicious payloads via an SSH tunnel, allowing remote transport of data from infected computers to infrastructure controlled by attackers.
For investors and defenders, this design choice matters because it can complicate incident response. Data exfiltration over an SSH tunnel may blend with normal encrypted traffic patterns, and the multi-payload architecture suggests victims may not see a single obvious “binary” responsible for damage.
SlowMist: fake LinkedIn recruiting and “try before interview” repositories
In a separate report, SlowMist describes another approach to malware delivery: it targets Web3 developers by disguising an attack as recruitment. Rather than sending victims a generic phishing link, attackers reportedly contact developers through LinkedIn while posing as Web3 recruiters.
SlowMist says the attackers follow up with instructions to download and run code from fake GitHub repositories. The bait is framed as a realistic recruitment process: the repository is presented as a “minimum viable product” that the developer should try before the interview, which aligns closely with how technical screenings often work.
The company notes that the workflow looks and feels like a genuine interview assignment: developers are expected to pull code, install dependencies, and launch the project. That resemblance is a key factor in why the attack can be difficult to detect—there may be no obvious sign that a “try it now” task is actually weaponized.
Remote access trojan goals: keys, credentials, and extension data
According to SlowMist, the end goal of the LinkedIn-and-GitHub tactic is to deliver a complete remote access trojan onto the victim’s device. Once installed, SlowMist says attackers can steal sensitive information relevant to Web3 work, including project keys, cloud credentials, or wallet extension data.
SlowMist also emphasizes that this is not an isolated tactic. The report argues that attackers are increasingly exploiting scenarios that encourage developers to run code—such as recruitment tasks, code reviews, and project collaborations—turning normal professional behavior into an infection vector.
It is also notable that SlowMist’s write-up arrives amid a broader pattern of recent warnings. The security firm had also previously cautioned about a separate malware campaign targeting macOS users, designed to steal credentials, hijack Telegram sessions, and ultimately pressure victims into entering wallet recovery phrases via fake websites.
For readers and builders, the common thread across both reports is the same: attackers are calibrating their intrusions to the moments when people are most likely to click “run,” install, or test code—whether that happens after a recruiter message on LinkedIn or after a malicious “app” appears to be a legitimate GitHub tool. The next thing to watch is whether these campaigns expand into more standardized tooling for developers and more automation for account-level compromise, since both Kaspersky and SlowMist describe activity that looks organized and iterative rather than sporadic.
-
NewsBeat2 days agoLondon Mayor Sadiq Khan handed a peerage by Keir Starmer alongside 15 other Labour figures… just days before the PM leaves No10
-
Fashion21 hours agoWeekend Open Thread – Corporette.com
-
Politics5 hours agoThe House | The City of London can help the new chancellor deliver growth in every postcode
-
Crypto World3 days agoCFTC blocks Kalshi from unwinding Michigan trades after court order
-
Politics3 days agoYoung campaigners urge incoming PM to act on outdoor junk food ads
-
Business3 days agoNvidia Stock Slips After Big Tuesday Rally as Huang Confirms Vera Rubin Chip Is Now in Production Today
-
Crypto World5 hours agoRipple Payments Joins MiCA With 14 Firms, Does It Mean Anything For XRP?
-
Entertainment3 days agoDisney’s Most Ambitious Failed Star Wars Attraction Is Coming to SDCC
-
Crypto World17 hours agoRipple wins EU-wide access as ESMA adds it to MiCA register
-
Tech4 days agoGet Your ESP32 Sunny Side Up With This Solar Dev Board
-
News Videos4 days agoXRP BOMBSHELL… XRP OMBOARDED FOR TRANSACTIONS!!!
-
Crypto World2 days agoInjective Submits SEC Transfer-Agent Registration to Onchain Ownership Records
-
Business2 days agoPalantir Shares Rise After Expanded Nvidia Partnership and Fresh Analyst Upgrades Ahead of Earnings Day
-
NewsBeat1 day agoRegistration is now open for March for Men with Kev 2026
-
Tech4 days agoDark Secrets Emerge When Jailbreaking LLMs
-
Sports3 days agoNew Cornerback Enters Vikings Trade Rumor Mill
-
News Videos1 day agoMoney | Class 12 Economics | CBSE Board Exam 2026-27
-
Business2 days agoBanco Bilbao Vizcaya Argentaria, S.A. (BBVA) Discusses Global Macro Environment and Economic Outlook for Core Markets Transcript
-
Tech5 days agoCloudflare Precursor Watches Your Mouse and Keyboard To Decide If You Are Human
-
NewsBeat10 hours agoDurham County Council to send out electoral registration emails

(@injective)
You must be logged in to post a comment Login