A malware framework tracked as OkoBot is injecting seed phrase phishing prompts directly into Ledger and Trezor applications, according to reporting from The Hacker News. The technique targets the two most widely used hardware wallet ecosystems, aiming to trick users into typing their recovery phrase into a fake in-app prompt rather than the hardware device itself.
This is the crypto-theft playbook maturing past browser extensions and fake wallet apps into something harder to spot: injection into the legitimate client software people already trust. Hardware wallets became popular precisely because they keep the seed phrase off any screen a hacker could compromise -- the entire security model depends on the device, not the app, ever asking for it. Malware that fakes an in-app request for that phrase isn't exploiting a crypto bug, it's exploiting the one habit users have been trained to drop their guard around: "the official app asked, so it must be fine." Expect copycat frameworks targeting other wallet brands once this pattern gets attention, the same way credential-phishing kits proliferate after one gets press.
The SAL read: no legitimate Ledger or Trezor prompt will ever ask you to type your seed phrase into a screen -- if any app does, that's not a UX glitch, that's the theft.
If your business holds any crypto treasury or lets employees use hardware wallets for company funds, put this in writing now: seed phrases are entered only on the physical device, never into any app, ever, no exceptions -- and verify every wallet app installation came from the official source before this week is out.