New macOS Infostealer Targets Cryptocurrency Wallets with Offline Attack Chain
Security researchers at SlowMist have uncovered a sophisticated macOS-focused infostealer designed to harvest credentials, wallet databases, and session data for offline cryptocurrency theft. Detected by the MistEye monitoring system, the malware casts a wide net, extracting sensitive information from Apple Keychain, Safari and Chromium browsers, Telegram Desktop, Apple Notes, and multiple wallet applications including Electrum, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Ledger Live, and Trezor Suite.
The malware’s primary threat lies in its ability to pair stolen wallet databases with potential unlocking material, such as passwords from Keychain or browser stores. While most wallet apps encrypt data locally, attackers can test harvested credentials against exfiltrated wallet files in an isolated environment, bypassing the limitations of online password-guessing attacks. SlowMist demonstrated this by successfully decrypting Atomic Wallet data using a password obtained from the victim’s Keychain. Once a wallet’s recovery phrase or private key is extracted, simply reinstalling the app or changing its password offers no protection.
The malware also employs social engineering tactics, including a fake "Google API Connector" update prompt to capture the victim’s macOS password. It validates credentials using the dscl authentication utility, ensuring attackers obtain the correct login details. Additionally, it targets Chrome Safe Storage secrets from Keychain, which can decrypt stored browser logins and cookies.
Telegram users face a separate risk: the stealer copies the tdata directory, containing encryption keys and session state. In lab tests, restoring these files on a compatible Mac immediately granted access to the victim’s account without requiring SMS codes or two-factor authentication effectively hijacking an active session. Stolen tdata artifacts could also be converted into programmable Telegram API sessions, enabling full chat access.
For Ledger Live and Trezor Suite users, the malware deploys phishing pages disguised as legitimate wallet applications. After removing the real software, it installs lookalike WebView loaders that connect to attacker-controlled sites, tricking victims into entering recovery phrases or PINs under the guise of trusted desktop apps.
The campaign highlights how infostealers exploit the interplay between credentials, encrypted local stores, and user trust. While a stolen wallet database alone may be secure, pairing it with Keychain secrets and reused passwords creates a portable target for offline decryption. Indicators of compromise (IOCs) include malicious domains and IP addresses linked to the phishing infrastructure.
Source: https://gbhackers.com/hackers-pair-stolen-wallet-databases/
Electrum Bitcoin Wallet cybersecurity rating report: https://www.rankiteo.com/company/electrum-bitcoin-wallet
Exodus cybersecurity rating report: https://www.rankiteo.com/company/exodus-io
Ledger cybersecurity rating report: https://www.rankiteo.com/company/ledgerhq
Trezor cybersecurity rating report: https://www.rankiteo.com/company/trezor
"id": "ELEEXOLEDTRE1784199019",
"linkid": "electrum-bitcoin-wallet, exodus-io, ledgerhq, trezor",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': ['Cryptocurrency', 'Finance'],
'type': 'Individual Users'}],
'attack_vector': ['Social Engineering', 'Phishing', 'Fake Software Updates'],
'data_breach': {'data_encryption': ['Local Wallet Encryption',
'Chrome Safe Storage'],
'data_exfiltration': True,
'file_types_exposed': ['Wallet Databases',
'Keychain Data',
'Browser Data',
'Telegram `tdata` Directory',
'Apple Notes'],
'personally_identifiable_information': ['Recovery Phrases',
'Private Keys',
'Browser Logins',
'Cookies'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Wallet Databases',
'Session Data',
'Encryption Keys',
'Recovery Phrases',
'Private Keys',
'Browser Logins',
'Cookies']},
'description': 'Security researchers at SlowMist have uncovered a '
'sophisticated macOS-focused infostealer designed to harvest '
'credentials, wallet databases, and session data for offline '
'cryptocurrency theft. The malware extracts sensitive '
'information from Apple Keychain, Safari and Chromium '
'browsers, Telegram Desktop, Apple Notes, and multiple wallet '
'applications. It pairs stolen wallet databases with potential '
'unlocking material, such as passwords from Keychain or '
'browser stores, to decrypt wallet data in an isolated '
'environment. The malware also employs social engineering '
"tactics, including a fake 'Google API Connector' update "
'prompt to capture the victim’s macOS password and targets '
'Chrome Safe Storage secrets. It hijacks Telegram sessions by '
'copying the `tdata` directory and deploys phishing pages for '
'Ledger Live and Trezor Suite users.',
'impact': {'data_compromised': ['Credentials',
'Wallet Databases',
'Session Data',
'Encryption Keys',
'Recovery Phrases',
'Private Keys',
'Browser Logins',
'Cookies'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': ['macOS']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Infostealers exploit the interplay between credentials, '
'encrypted local stores, and user trust. Pairing stolen '
'wallet databases with Keychain secrets and reused '
'passwords creates a portable target for offline '
'decryption. Users should avoid reusing passwords and '
'enable multi-factor authentication where possible.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': ['Exploitation of Keychain and '
'browser storage for credentials',
'Social engineering tactics',
'Phishing via fake wallet '
'applications']},
'recommendations': ['Avoid reusing passwords across services',
'Enable multi-factor authentication for all accounts',
'Regularly monitor wallet and account activity',
'Be cautious of fake software updates and phishing pages',
'Use hardware wallets for cryptocurrency storage',
'Keep software and operating systems updated'],
'references': [{'source': 'SlowMist'}],
'response': {'third_party_assistance': 'SlowMist (Security Researchers)'},
'title': 'New macOS Infostealer Targets Cryptocurrency Wallets with Offline '
'Attack Chain',
'type': 'Infostealer Malware'}