Pavlo Kot

New macOS malware steals Telegram data and targets crypto wallets

New macOS malware steals Telegram data and targets crypto wallets
MacOS malware

​Security researchers at SlowMist have identified macOS malware capable of stealing data from Telegram Desktop and gaining access to cryptocurrency wallets. The stolen information can be used to restore Telegram sessions, decrypt wallet files, or steal seed phrases through fake applications.

According to the researchers, the malware collects data from the macOS Keychain, Safari browser files, Apple Notes, Telegram Desktop, and the databases of more than a dozen cryptocurrency wallets.

Once a device is infected, the malware copies authenticated Telegram session data, cryptocurrency wallet files, and information related to browser extensions used for managing digital assets.

Malware targets popular crypto wallets

SlowMist researchers said attackers may attempt to decrypt stolen wallet databases using passwords obtained from the compromised device. Another attack vector involves replacing legitimate Ledger Live and Trezor Suite applications with fake versions that prompt users to enter their seed phrases.

The researchers successfully reproduced the entire attack chain in an isolated environment.

The malware targets software wallets including Exodus, Atomic Wallet, Electrum, Wasabi Wallet, and Monero. It can also search for data associated with full nodes of Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.

Two-factor authentication does not prevent the attack

According to SlowMist, Telegram's two-factor authentication cannot mitigate this attack because the malware does not perform a new login. Instead, it uses an already authenticated session stored on the victim's device.

The researchers demonstrated that stolen Telegram Desktop session data can be transferred to another Mac computer without requiring a phone number, verification code, or two-factor authentication password.

SlowMist advised users who suspect their devices have been compromised to immediately terminate all active Telegram sessions and change both their Telegram two-factor authentication password and Telegram Desktop password. Cryptocurrency wallet users are also encouraged to generate a new seed phrase on a secure device and transfer their assets to new addresses.

Amid the growing number of cyberattack tools, Immunefi reported that cryptocurrency projects lost approximately $972 million across 207 successful hacks during the first half of 2026, marking a record number of incidents.

Earlier, decentralized trading protocol Ostium halted all trading operations after an incident affecting its OLP liquidity pool. Cybersecurity experts estimate that the suspected exploit may have resulted in losses ranging from $18 million to $22 million.

This material may contain third-party opinions, none of the data and information on this webpage constitutes investment advice according to our Disclaimer. While we adhere to strict Editorial Integrity, this post may contain references to products from our partners.
Weekly Top Bonuses
up to $2,500
deposit bonus for all clients
CLAIM BONUS
Your capital is at risk.