Key facts
- A macOS malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets.
- The malware harvests credentials from the macOS Keychain, Safari cookies, Apple Notes, and Telegram Desktop.
- It targets both software wallets (Exodus, Atomic, Electrum) and hardware wallet applications (Ledger Live, Trezor Suite).
- The malware bypasses Telegram's two-step verification by reusing authenticated local sessions.
- Attackers can decrypt stolen wallet databases offline or trick users into revealing recovery phrases through fake applications.
A newly identified macOS malware is capable of hijacking Telegram Desktop sessions and compromising cryptocurrency wallets, according to blockchain security firm SlowMist. The malware operates by harvesting sensitive data from the macOS Keychain, Safari cookies, Apple Notes, and Telegram Desktop databases. It also targets databases associated with over a dozen cryptocurrency wallets.
After collecting passwords and authenticated sessions, the malware copies users’ authenticated Telegram Desktop session data, wallet databases, and browser wallet extension data. SlowMist explained that attackers can then attempt to decrypt the stolen wallet databases offline using the harvested passwords or replace legitimate Ledger and Trezor applications with fake versions. These fake applications are designed to trick users into entering their recovery phrases.
The malware combines multiple techniques into a coordinated attack chain, enabling attackers to pursue various methods for compromising cryptocurrency accounts and wallets. It specifically targets software wallets including Exodus, Atomic, Electrum, Wasabi, and Monero, as well as hardware wallet applications such as Ledger Live and Trezor Suite. Additionally, it searches for wallet data stored by full-node clients like Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.
According to SlowMist, Telegram's two-step verification does not prevent this attack because the malware reuses an authenticated local session rather than initiating a new login. Researchers successfully restored stolen Telegram Desktop session data on another Mac without needing a phone number, verification code, or two-step verification password. SlowMist advises users who suspect their devices may be compromised to immediately terminate existing Telegram sessions, establish a new trusted login, and change both their Telegram two-step verification password and Telegram Desktop Passcode. The firm also recommends generating a new recovery phrase on a clean device and transferring all assets to new addresses.