macOS malware hijacks Telegram, targets crypto wallets

Editorial illustration for: macOS malware hijacks Telegram, targets crypto wallets with coordinated attack chain

In brief

  • macOS malware harvests passwords, session data, and wallet databases from infected devices
  • Attackers decrypt stolen wallets offline or deploy fake hardware wallet app replacements
  • Telegram two-step verification fails because malware reuses authenticated sessions
  • SlowMist recommends terminating sessions, changing passwords, and regenerating recovery phrases on clean devices

Attack chain targets multiple wallet types

The malware's coordinated attack chain combines multiple techniques to compromise cryptocurrency accounts. After collecting passwords and authenticated sessions, the malware copies users' authenticated Telegram Desktop session data, wallet databases and browser wallet extension data. SlowMist reproduced the attack chain in an isolated environment to confirm the threat.

The malware targets software wallets including Exodus, Atomic, Electrum, Wasabi and Monero, as well as hardware wallet applications such as Ledger Live and Trezor Suite. It also searches for wallet data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core. This broad targeting means users across multiple wallet ecosystems face risk.

How attackers exploit stolen credentials

Once malware harvests passwords from the infected device, attackers can attempt to decrypt the stolen wallet databases offline. They can also replace legitimate Ledger and Trezor applications with fake versions that trick users into entering their recovery phrases. This multi-pronged approach gives attackers several paths to compromise cryptocurrency holdings.

Telegram two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login. In tests, researchers restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code or two-step verification password. This session hijacking bypasses standard authentication protections entirely.

SlowMist urged users who suspect their devices have been compromised to immediately terminate existing Telegram sessions and establish a new trusted login. The company also recommended changing both their Telegram two-step verification password and Telegram Desktop Passcode.

For cryptocurrency accounts, SlowMist recommended generating a new recovery phrase on a clean device and transferring all assets to new addresses. These steps mitigate the risk of offline wallet decryption or subsequent phishing attacks using compromised credentials.