New crypto malware tricks you into running it yourself — the ‘fake job’ and ‘ClickFix’ traps
Security researchers have flagged a wave of crypto-stealing malware that shares one trick: instead of hacking you, it ge…
Security researchers have flagged a wave of crypto-stealing malware that shares one trick: instead of hacking you, it gets you to run the malicious code yourself. Kaspersky named one new framework “OkoBot,” and the security firm SlowMist described fake job offers aimed at crypto developers. Both are worth knowing so you do not fall for them.
Start with OkoBot. Kaspersky says it has been used in attacks since January 2026 and can steal crypto wallet files, browser data and passwords, and even slip malicious browser extensions onto your device. It usually begins with social engineering — a technique called “ClickFix” that tricks you into copying and running a command, or a fake app downloaded from what looks like a normal GitHub project.
The fake-recruitment version works differently. SlowMist described attackers posing as Web3 recruiters on LinkedIn who send a “GitHub project” and ask you to download and run it before an interview, supposedly as a demo to try out. It looks exactly like a normal technical interview, which is why it works. Running the code installs a remote-access trojan that can steal wallet data, project keys and cloud logins.
The common thread runs through all of these campaigns — including a recent one that hijacked Telegram on Mac to phish recovery phrases. In each case the victim is persuaded to take the final step themselves: a link, a command, a repository to run “just to check.” Once you run it, the attacker is already inside.
So here is the beginner defense. Never paste and run a command you do not fully understand, and do not download and launch code from a stranger — a recruiter, a “support agent,” a helpful direct message. Keep larger holdings in a wallet you do not connect to unknown apps, and remember that no legitimate service will ever ask for your seed phrase or recovery words. This is information, not advice: when someone rushes you into running something, that urgency is the attack.