A macOS malware hijacks Telegram and hunts for crypto wallets — how to stay safe
Security researchers at SlowMist have detailed a macOS malware that quietly steals credentials to hijack Telegram Deskto…
Security researchers at SlowMist have detailed a macOS malware that quietly steals credentials to hijack Telegram Desktop sessions and break into cryptocurrency wallets. Once it is on a Mac, it can copy an already-logged-in Telegram session and go after the data behind more than a dozen wallet apps.
The malware harvests information from across the machine — the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop, and the databases of many crypto wallets. With that haul, attackers can try two things: decrypt stolen wallet files offline using passwords taken from the same device, or replace real apps like Ledger Live and Trezor Suite with fake copies that trick people into typing in their recovery phrase.
The wallets in its sights include software wallets such as Exodus, Atomic, Electrum, Wasabi and Monero, the hardware-wallet apps Ledger Live and Trezor Suite, and full-node software like Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core. SlowMist says it reproduced the full attack chain in an isolated test environment.
One detail matters for anyone who leans on two-factor authentication. Telegram's two-step verification does not stop this attack, because the malware reuses a session that is already logged in rather than signing in fresh. In tests, researchers restored a stolen Telegram session on a different Mac without ever entering a phone number, a verification code, or the two-step password.
If you think a device may be affected, SlowMist recommends acting fast: end all existing Telegram sessions and set up a new trusted login, change both your Telegram two-step password and your Telegram Desktop passcode, then generate a brand-new recovery phrase on a clean device and move all assets to new addresses.
For beginners, one rule cuts through most of this: a genuine wallet app will never ask you to type your recovery phrase into your computer. Treat any prompt to "re-enter" or "verify" your seed words as a warning sign, download wallet software only from official sources, and remember that a hardware wallet protects your keys only as long as the recovery phrase behind it stays offline. Information, not advice.