MacOS malware hijacks Telegram sessions to drain crypto wallets
A new strain of information‑stealing malware targeting macOS users is exploiting Telegram Desktop sessions to gain access to cryptocurrency wallets, according to blockchain security company SlowMist. By lifting credentials, decrypting wallet databases and pushing users toward fake wallet software, the malware enables attackers to seize control of digital assets with minimal interaction from the victim.
How the attack works
Once installed on a macOS device, the malware launches a broad data‑harvesting operation. It is designed to scrape:
– Items stored in the macOS Keychain (such as passwords and certificates)
– Browser cookies from Safari
– Notes saved in the Apple Notes application
– Local data from Telegram Desktop
– Databases and files associated with more than a dozen cryptocurrency wallets
With this information, the attackers can reconstruct authenticated sessions, guess or directly obtain passwords, and assemble everything needed to access funds stored in software and hardware wallets.
SlowMist notes that the malware focuses heavily on authenticated Telegram Desktop sessions. Instead of trying to break through Telegram’s remote login protections, it simply copies the session data from the compromised Mac and restores it on another machine. Because this session is already trusted and logged in, it bypasses normal security checks.
Telegram session hijacking sidesteps 2FA
A crucial aspect of the campaign is that Telegram’s two‑step verification (2FA) does not block this type of attack. The malware is not creating a new login; it is reusing an existing, locally authenticated session.
In a controlled test environment, researchers were able to export the Telegram Desktop session files from an infected Mac, move them to a second Mac and reopen the account without:
– Entering the phone number
– Supplying an SMS or in‑app verification code
– Providing the Telegram two‑step verification password
This effectively gives the attacker full access to the victim’s Telegram chats and any crypto‑related communications or credentials stored there, as well as access to channels, contact lists and potentially sensitive messages like seed phrases or private keys that users may have carelessly pasted into chats.
Targeting software and hardware wallets
SlowMist’s analysis shows the malware is tuned specifically for the crypto ecosystem. It searches for and targets data from popular software wallets, including:
– Exodus
– Atomic Wallet
– Electrum
– Wasabi Wallet
– Monero wallets
The malware also hunts for data associated with hardware wallet management applications such as:
– Ledger Live
– Trezor Suite
Beyond these, it scans for wallet information maintained by full‑node clients such as:
– Bitcoin Core
– Litecoin Core
– Dash Core
– Dogecoin Core
By copying these wallet databases and configuration files, attackers gain a snapshot of the victim’s wallet environment. The stolen files are then decrypted offline where possible, using passwords or hints pulled from the macOS Keychain, browser cookies, saved notes and Telegram data.
Fake wallet apps and recovery phrase theft
SlowMist warns that credential theft is only one part of the threat. The attackers can go one step further by swapping legitimate wallet applications with trojanized or counterfeit versions on the victim’s system.
For example, genuine Ledger Live or Trezor Suite installs can be replaced with look‑alike applications. These fake apps behave as expected on the surface but prompt users to “re‑enter” or “confirm” their recovery phrases as part of a bogus security check, migration step or version upgrade. Once the victim types in their seed phrase, the attackers effectively gain permanent control over all associated wallets and addresses.
This combination of stealthy data exfiltration and social engineering makes the malware particularly dangerous. Even if the password to a wallet database cannot be broken, one careless interaction with a fake application can hand the attackers everything they need.
Coordinated, multi‑stage attack chain
According to SlowMist, what sets this malware apart is the way it fuses several well‑known techniques into a cohesive, multi‑step attack chain. Instead of relying on a single weakness, it uses overlapping strategies:
1. Information theft from macOS Keychain, browser cookies, notes and local application data.
2. Session hijacking by copying authenticated Telegram Desktop session data.
3. Offline decryption of wallet files using harvested passwords.
4. Application replacement with forged wallet clients to trick users into revealing recovery phrases.
This layered approach gives attackers multiple paths to compromise cryptocurrency accounts. Even if one step fails-say, a wallet database remains encrypted-they can still attempt to phish the seed phrase through fake applications or Telegram messages sent from the victim’s own account.
Why Mac users are at risk
Many crypto traders and investors assume macOS offers stronger protection against malware than other desktop platforms. While macOS has robust built‑in security mechanisms, this incident underlines that it is not immune-especially when users grant broad permissions to untrusted apps or disable certain protections for convenience.
Attackers often exploit:
– Pirated or cracked software installers that secretly bundle malware
– Fake “system utilities” or “wallet tools” downloaded from random sites
– Malicious attachments disguised as trading bots, indicators or scripts
– Pop‑up prompts asking for full disk access or Keychain access that users approve without scrutiny
Once those privileges are granted, the operating system’s inherent security advantages matter much less. For crypto users, who typically store high‑value assets or credentials on their machines, the risk‑reward ratio for criminals is particularly attractive.
How to tell if you might be compromised
There is no single obvious sign that this specific malware is present, but several red flags should prompt deeper inspection:
– Unexpected prompts on macOS asking for Keychain access or full disk access, especially from unknown apps
– Crypto wallet apps suddenly requesting recovery phrases for “verification” or “updates”
– Telegram acting strangely, such as sessions appearing active from unknown locations or devices
– Wallet balances changing without your authorization or outgoing transactions you do not recognize
– New applications appearing in your Applications folder that you do not recall installing
If several of these symptoms appear together-particularly around the time you installed new software or interacted with unverified files-there is a strong case for assuming compromise and acting defensively.
Immediate steps if you suspect infection
SlowMist recommends a strict incident‑response style approach for anyone who thinks their Mac may have been targeted:
1. Terminate Telegram sessions:
– On a known‑clean device, log into Telegram and manually terminate all active sessions.
– Then create a fresh, trusted session from a secure device.
2. Change Telegram credentials:
– Reset your Telegram two‑step verification password.
– Change your Telegram Desktop passcode if you use one.
3. Regenerate wallet security:
– On a separate, uncompromised machine, generate a completely new recovery phrase using trusted wallet software or a hardware wallet.
– Create new wallets and addresses derived from this new phrase.
4. Migrate your assets:
– Transfer all funds from old wallets and addresses to the new ones created on the clean device.
– Treat any seed phrase or private key that has ever been on the suspected machine as permanently compromised.
5. Audit your Mac:
– Remove any suspicious or recently installed applications you cannot fully verify.
– Consider backing up essential, non‑sensitive data and performing a full system reinstall to eliminate hidden malware.
Long‑term protection for Mac‑based crypto users
Beyond emergency actions, crypto holders using macOS should harden their daily practices:
– Use hardware wallets for long‑term holdings. Store significant funds in hardware devices, not software wallets or browser extensions. Connect them only when necessary.
– Separate environments. Consider dedicating one Mac account or even a separate machine solely for crypto operations, minimizing the number of installed apps.
– Be ruthless with permissions. Decline Keychain and full disk access requests from any app that does not absolutely require them, especially newly installed tools.
– Avoid pirated or “cracked” software. These are a common infection vector and particularly dangerous for users holding valuable assets.
– Regularly review Telegram settings. Frequently check active sessions and revoke any that you do not recognize.
– Keep backups offline. Store encrypted backups and seed phrase backups offline (e.g., on paper or metal), never in cloud notes, screenshots, or chat histories.
Why Telegram is an attractive target
Telegram has become a communication hub for traders, project teams and investors. For attackers, compromising a Telegram session does more than grant chat access:
– They can read back through history to discover pasted seed phrases, private keys or API keys.
– They can impersonate the victim to contact exchanges, wallet support or peers.
– They can distribute malicious files or wallet clones to the victim’s contacts, expanding their reach.
By hijacking a trusted identity instead of brute‑forcing passwords, criminals raise the success rate of social engineering attacks, particularly in high‑value crypto networks.
The broader lesson for digital asset security
The SlowMist findings highlight a reality many in the industry increasingly recognize: securing digital assets is not just about strong passwords or enabling 2FA on individual services. Attackers are now chaining multiple weaknesses-desktop OS, messaging apps, local wallets, user habits-into a single operation.
For individuals and organizations holding crypto, the most resilient defense combines:
– Technical safeguards (hardware wallets, clean operating environments, strong encryption)
– Behavioral discipline (never re‑enter seed phrases into “update” screens, verify app authenticity, limit what is stored in chats and notes)
– Rapid response plans (knowing in advance how to rotate keys, regenerate phrases and move funds if compromise is suspected)
Mac users who treat their devices as inherently safe are precisely the people this malware is designed to exploit. Treat every wallet, session and recovery phrase as if a determined attacker is trying to piece them together-and design your defenses so that no single stolen file, session or password is enough to cost you your assets.

