SlowMist Unmasks macOS Malware That Hijacks Telegram to Pillage Crypto Wallets

3 hour ago 3 sources negative

Key takeaways:

  • The macOS-targeting malware could trigger a sell-off in DOGE and LTC if major wallets are compromised.
  • Fake Ledger Live apps may undermine confidence in hardware wallets, boosting demand for decentralized cold storage.
  • Exploited session files bypassing 2FA make hot wallets a liability, favoring long-term accumulation of privacy coins like XMR.

Blockchain security firm SlowMist has issued an urgent warning about a new macOS information-stealing campaign that can hijack Telegram Desktop sessions and pull sensitive data from a wide range of cryptocurrency wallets. The malware, which researchers reproduced in a controlled environment, does not rely on cracking login codes. Instead, it copies already authenticated local session files, enabling attackers to access Telegram accounts without a phone number, verification code, or even the account’s two‑step verification password.

Telegram two‑step verification does not prevent the attack,” SlowMist stressed, “because the malware reuses existing session files.” Once the session data is stolen, attackers can restore it on another device and bypass all normal login checks. The firm urged anyone who suspects an infection to immediately terminate all active Telegram sessions and create a fresh trusted login.

Beyond Telegram, the malware scours the infected Mac for cryptocurrency wallet data. It specifically targets Exodus, Atomic, Electrum, Wasabi, and Monero software wallets, as well as hardware wallet applications Ledger Live and Trezor Suite. In a particularly dangerous twist, the attackers may replace legitimate hardware wallet apps with fake versions designed to trick victims into entering their recovery phrases.

The sweep does not stop there. Full‑node wallet databases from Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core are also in the crosshairs. After exfiltrating these files, attackers can attempt offline decryption using passwords harvested from the same device—making weak credentials a severe liability.

SlowMist advises crypto users who suspect wallet exposure to move funds from a clean, separate device, generate a new recovery phrase, and transfer assets to fresh addresses. Additional protective measures include avoiding pirated software, downloading apps only from official sources, and enabling a local Telegram passcode as an extra barrier. The campaign serves as a stark reminder that wallet security can be compromised long before any blockchain transaction is signed.

Disclaimer

The content on this website is provided for information purposes only and does not constitute investment advice, an offer, or professional consultation. Crypto assets are high-risk and volatile — you may lose all funds. Some materials may include summaries and links to third-party sources; we are not responsible for their content or accuracy. Any decisions you make are at your own risk. Coinalertnews recommends independently verifying information and consulting with a professional before making any financial decisions based on this content.