Cybersecurity firms have issued urgent warnings about two distinct but serious threats targeting cryptocurrency users on Apple's macOS and iOS platforms. These campaigns employ sophisticated social engineering to steal digital assets and sensitive credentials.
SlowMist has identified a new, highly destructive macOS infostealer dubbed "MacSync Stealer" (v1.1.2). This active malware campaign uses deceptive tactics, such as fake AppleScript system dialogs that mimic legitimate macOS password prompts, to phish for user login credentials. Once a victim is compromised, the malware silently exfiltrates data, including cryptocurrency wallets and critical infrastructure keys like SSH, AWS, and Kubernetes credentials. To avoid suspicion, it displays a fake "not supported" error message post-extraction, making it appear as if an application simply failed to launch.
This incident is part of a broader trend of macOS-targeted attacks. Microsoft Threat Intelligence recently exposed a campaign by the North Korean state-sponsored actor "Sapphire Sleet," which impersonates macOS software updates to steal crypto wallets. Other notable malware includes "Infinity Stealer," which adapts Windows-centric methods for macOS, and the commercially distributed "MioLab" infostealer built to target high-value victims like crypto holders.
Separately, Kaspersky's Threat Research team has identified 26 fraudulent cryptocurrency wallet applications on the Apple App Store. These apps imitate popular wallets like MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie by copying their names and branding. Once opened, they redirect users to phishing pages resembling the App Store, prompting the download of a second, trojanized wallet application designed to drain funds.
Kaspersky links this campaign, active since at least fall 2025, with "moderate confidence" to the threat actors behind the SparkKitty iOS malware strain. While most phishing apps were distributed to users in China—where official versions of many wallets are unavailable—the malicious payload has no regional restrictions, posing a global risk. The apps use basic, unrelated features (like games or calculators) to appear legitimate and exploit Apple's enterprise developer tools to install malware after users approve a developer profile.
Sergey Puzan, a Kaspersky mobile malware expert, warned that these apps serve as entry points in a broader attack chain. "Users should be wary of the risks related to managing their crypto wallets even on devices that they consider safe, such as iPhones," he stated.
This report follows the recent exposure of a counterfeit Ledger Nano S Plus device sold online, which was part of a sophisticated phishing operation to steal wallet credentials, highlighting the multifaceted nature of current crypto security threats.
