HomeEverythingEducationTV
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

macOS malware hijacks Telegram sessions, targets crypto wallets

Created at 17 Jul · 9:06 AM1 source↑ Market-relevant
IN SHORT

A macOS malware steals credentials to hijack Telegram sessions and compromise cryptocurrency wallets. It targets software and hardware wallets, including Exodus, Ledger, and Trezor, by harvesting data from the macOS Keychain and browser extensions.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Who's Involved

SlowMist
blockchain security firm that identified the macOS malware

↳ Why This Matters

This malware poses a significant threat to cryptocurrency users on macOS by exploiting vulnerabilities in both Telegram and wallet applications, potentially leading to substantial financial losses through credential theft and session hijacking.

Key facts

  • A macOS malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets.
  • The malware harvests credentials from the macOS Keychain, Safari cookies, Apple Notes, and Telegram Desktop.
  • It targets both software wallets (Exodus, Atomic, Electrum) and hardware wallet applications (Ledger Live, Trezor Suite).
  • The malware bypasses Telegram's two-step verification by reusing authenticated local sessions.
  • Attackers can decrypt stolen wallet databases offline or trick users into revealing recovery phrases through fake applications.

A newly identified macOS malware is capable of hijacking Telegram Desktop sessions and compromising cryptocurrency wallets, according to blockchain security firm SlowMist. The malware operates by harvesting sensitive data from the macOS Keychain, Safari cookies, Apple Notes, and Telegram Desktop databases. It also targets databases associated with over a dozen cryptocurrency wallets.

After collecting passwords and authenticated sessions, the malware copies users’ authenticated Telegram Desktop session data, wallet databases, and browser wallet extension data. SlowMist explained that attackers can then attempt to decrypt the stolen wallet databases offline using the harvested passwords or replace legitimate Ledger and Trezor applications with fake versions. These fake applications are designed to trick users into entering their recovery phrases.

The malware combines multiple techniques into a coordinated attack chain, enabling attackers to pursue various methods for compromising cryptocurrency accounts and wallets. It specifically targets software wallets including Exodus, Atomic, Electrum, Wasabi, and Monero, as well as hardware wallet applications such as Ledger Live and Trezor Suite. Additionally, it searches for wallet data stored by full-node clients like Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.

According to SlowMist, Telegram's two-step verification does not prevent this attack because the malware reuses an authenticated local session rather than initiating a new login. Researchers successfully restored stolen Telegram Desktop session data on another Mac without needing a phone number, verification code, or two-step verification password. SlowMist advises users who suspect their devices may be compromised to immediately terminate existing Telegram sessions, establish a new trusted login, and change both their Telegram two-step verification password and Telegram Desktop Passcode. The firm also recommends generating a new recovery phrase on a clean device and transferring all assets to new addresses.

Frequently asked questions

The malware harvests passwords, authenticated Telegram Desktop session data, browser wallet extension data, and databases associated with various cryptocurrency wallets.

It targets software wallets like Exodus, Atomic, Electrum, Wasabi, and Monero, as well as hardware wallet applications such as Ledger Live and Trezor Suite. It also searches for data from full-node clients like Bitcoin Core.

No, Telegram's two-step verification does not prevent the attack because the malware reuses an authenticated local session instead of creating a new login.

Users should immediately terminate existing Telegram sessions, establish a new trusted login, change their Telegram two-step verification password and Desktop Passcode, generate a new recovery phrase on a clean device, and transfer all assets to new addresses.

What Happens Next

01Users are advised to terminate existing Telegram sessions and establish new logins.
02Users should change their Telegram two-step verification password and Telegram Desktop Passcode.
03Users should generate a new recovery phrase on a clean device.
04Users should transfer all assets to new addresses.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

A macOS malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets.
The malware harvests data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop, and wallet databases.
Attackers can reuse authenticated Telegram Desktop session data to bypass two-step verification.
The malware targets software wallets like Exodus, Atomic, Electrum, Wasabi, Monero, and hardware wallet applications such as Ledger Live and Trezor Suite.
It also searches for wallet data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.
Attackers can attempt to decrypt stolen wallet databases offline or trick users into entering recovery phrases via fake applications.
Users suspecting compromise should terminate Telegram sessions, establish new logins, and change passwords.
Users are advised to generate a new recovery phrase on a clean device and transfer assets to new addresses.

Sources

T1
MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMistA macOS malware steals credentials to hijack Telegram sessions, decrypt cryptocurrency wallets or trick users into entering their wallet recovery phrases through fake applications.Cointelegraph

Related Stories

Florida Man Arrested for Crypto-Stealing Malware in Video Games
16 Jul · 11:00 AM
Ledger enables AI agents to manage crypto without holding private keys
16 Jul · 1:06 PM
US sanctions four Iran central bank crypto wallets; Tether freezes $131M
16 Jul · 10:11 AM
Bitcoin Q-Day Recovery Proposal Aims to Let Users Prove Ownership After Quantum Attack
16 Jul · 7:06 PM
FATF urges faster crypto AML enforcement as stablecoin crime increases
16 Jul · 12:16 PM