Friday, 17 July 2026 · World
USD/EUR 0.8735 USD/GBP 0.7415 USD/JPY 162.3 USD/CNY 6.78 All rates →
RSS
EUROS The World Financial Report
Nº 6 Friday, 17 July 2026 · World Edition
LATEST
Crypto

MacOS malware bypasses Telegram security to target crypto wallets

EUROS Newsroom · 59m ago · 2 min read
MacOS malware bypasses Telegram security to target crypto wallets

A new MacOS malware is hijacking Telegram sessions to steal funds from major cryptocurrency wallets, highlighting persistent security risks for digital asset investors who rely on self-custody.

A sophisticated MacOS information-stealing malware is hijacking authenticated Telegram Desktop sessions to compromise cryptocurrency wallets, according to blockchain security firm SlowMist. The attack chain directly targets investors utilizing self-custody solutions, undermining standard security protocols by bypassing two-factor authentication entirely.

For market professionals and retail investors who rely on Telegram for deal flow and project coordination, the vulnerability represents a critical operational risk. The malware does not attempt to initiate a new login. Instead, it copies authenticated local session data, allowing attackers to assume control of a user's Telegram account on a separate machine without ever requiring a phone number, verification code, or two-step verification password.

Once embedded on a machine, the software systematically harvests sensitive data from the macOS Keychain, Safari browser cookies and Apple Notes. Crucially for financial stakeholders, it specifically scans for databases associated with major digital asset storage infrastructure. The targets encompass widely used software wallets like Exodus, Atomic and Electrum, full-node clients such as Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core, and desktop applications for leading hardware wallets including Ledger Live and Trezor Suite.

SlowMist detailed that attackers leverage the harvested system-level passwords to attempt offline decryption of the stolen wallet databases. If offline decryption proves unsuccessful, the malware replaces legitimate Ledger and Trezor desktop applications with counterfeit versions designed to trick users into manually entering their recovery phrases. SlowMist confirmed the viability of this multi-pronged attack chain by successfully reproducing it in an isolated laboratory environment.

This discovery underscores the complex physical and software attack vectors facing digital asset holders who store significant capital on internet-connected personal computers. The ability to spoof hardware wallet interfaces is particularly alarming for institutional managers who prioritize cold storage security. Individuals and organizations suspecting device compromise must act immediately to contain potential losses. SlowMist advises terminating all existing Telegram sessions, establishing a new trusted login, and changing both two-step verification passwords and desktop passcodes. Furthermore, affected users must generate a new recovery phrase on a known-clean device and transfer all digital assets to newly generated wallet addresses.