A sophisticated macOS information-stealing malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets by harvesting sensitive credentials and authenticated session data, according to blockchain security firm SlowMist. The discovery highlights a coordinated attack chain that combines multiple techniques to target both software and hardware wallet applications, posing a significant threat to crypto investors using Apple devices.
The malware operates by extracting data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases associated with more than a dozen cryptocurrency wallet applications. Once the malware gains access to a compromised device, it systematically collects passwords and authenticated sessions, then copies users’ Telegram Desktop session data, wallet databases and browser wallet extension information for offline analysis.
SlowMist researchers reproduced the complete attack chain in an isolated environment to demonstrate the vulnerability. The security firm found that attackers can attempt to decrypt stolen wallet databases offline using passwords harvested from the infected device. In more aggressive scenarios, attackers can replace legitimate Ledger and Trezor applications with fake versions designed to trick users into entering their recovery phrases, effectively gaining complete control over their digital assets.
The malware targets a wide range of popular cryptocurrency applications. Software wallets including Exodus, Atomic, Electrum, Wasabi and Monero are all vulnerable, as are hardware wallet applications such as Ledger Live and Trezor Suite. The malware also searches for wallet data stored by full-node clients including Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core, expanding the potential impact across the crypto ecosystem.
See also: Florida Man Arrested for Video Game Malware Scheme That Stole $220K in Crypto
One particularly concerning aspect of this threat is that Telegram’s two-step verification does not prevent the attack. The malware reuses an authenticated local session instead of creating a new login, bypassing standard security measures. In tests, SlowMist researchers successfully restored stolen Telegram Desktop session data on another Mac without entering a phone number, verification code or two-step verification password, demonstrating a critical security gap.
This follows a pattern seen in related coverage of malware schemes that stole significant amounts of cryptocurrency, showing how attackers continue to evolve their tactics to compromise digital assets across multiple platforms and applications.
SlowMist has issued urgent recommendations for users who suspect their devices have been compromised. The security firm advises immediately terminating all existing Telegram sessions, establishing a new trusted login and changing both the Telegram two-step verification password and Telegram Desktop Passcode. Users should also generate a new recovery phrase on a clean device and transfer all assets to new addresses to prevent unauthorized access.
See also: Crypto Advisors Must Strengthen Defenses Against AI-Powered Fraud Schemes
The discovery underscores the importance of maintaining robust cybersecurity practices across all devices used for cryptocurrency management. Crypto investors should remain vigilant about potential malware infections and consider implementing additional security measures such as using hardware wallets in isolation, maintaining separate devices for sensitive operations and regularly monitoring account activity for suspicious behavior.
Security researchers and industry experts continue to emphasize that no single security measure can provide complete protection against sophisticated malware. According to recent analysis on strengthening defenses against fraud schemes, a multi-layered approach combining technical controls, user education and operational security practices remains essential for protecting cryptocurrency holdings.
The macOS malware threat represents a broader challenge facing the cryptocurrency industry as attackers develop increasingly sophisticated methods to compromise digital wallets and steal user credentials. As the crypto ecosystem continues to mature, security remains a critical concern for both individual investors and institutional participants seeking to protect their digital assets from evolving threats.
More Reads:
SBI Group Acquires Coinhako, Accelerates Asia’s First Cross-Border Digital Asset Empire
Crypto Advisors Must Strengthen Defenses Against AI-Powered Fraud Schemes
If you’re reading this, you’re already ahead. Stay there, by joining the…
Dipprofit’s private Telegram community
Discover more from Dipprofit
Subscribe to get the latest posts sent to your email.






