Telegram Session Hijacking Used in macOS Malware to Steal Crypto Wallets

fiverr
Changelly


A macOS information-stealing malware can compromise cryptocurrency holdings by hijacking Telegram Desktop sessions and extracting wallet data, according to blockchain security firm SlowMist. The attack is notable because it focuses on taking over already-authenticated local sessions and stealing sensitive credentials, rather than relying solely on intercepting new logins.

SlowMist says the malware harvests data from multiple sources on an affected Mac, including Apple’s Keychain, Safari cookies, Apple Notes, Telegram Desktop and wallet databases tied to more than a dozen crypto wallets. After collecting credentials and authenticated session material, attackers can use the stolen information to access wallets and potentially execute account takeovers.

Key takeaways

  • SlowMist reports a macOS malware chain that combines credential theft, browser/session harvesting, and wallet database extraction.
  • Telegram two-step verification may not stop the attack because the malware reuses an existing authenticated Telegram Desktop session on the device.
  • The malware targets both software wallets (such as Exodus, Atomic, Electrum, Wasabi, and Monero) and hardware wallet companion apps (Ledger Live and Trezor Suite).
  • Defenders’ best near-term steps include terminating Telegram sessions, re-authenticating on a trusted device, and rotating wallet recovery phrases and assets to new addresses.

How the Telegram session hijack works

SlowMist’s assessment centers on the malware’s ability to work through already-established authentication. Rather than forcing a new Telegram login flow—which would typically require re-entering a phone number, verification code, and two-step verification password—the malware appears to leverage the authenticated session stored locally by Telegram Desktop.

In its reproduced testing, SlowMist says researchers restored stolen Telegram Desktop session data on another Mac without needing to repeat the normal verification steps, including entering a phone number or two-step verification password. That means even users who believe their Telegram protections are strong may still face risk if their device has already been compromised.

Binance

For crypto users who rely on Telegram to manage accounts, coordinate transfers, or receive wallet-related approvals, this matters: a session takeover can enable attackers to impersonate the user, obtain access to conversations and any linked operational details, and facilitate subsequent wallet-focused actions.

What data the malware harvests on macOS

SlowMist reports that the malware gathers a range of sensitive information from the compromised system. The company specifically points to macOS Keychain data, Safari cookies, Apple Notes, and Telegram Desktop. It also looks for cryptocurrency wallet data stored on the device.

Beyond user credentials and browser artifacts, the malware also targets stored wallet databases and related wallet extension data. SlowMist says that after collection, attackers copy authenticated session data, wallet databases, and browser wallet extension information—creating multiple paths for wallet access depending on the wallet type and local storage structure.

The combined approach is important because it increases the odds of success. Instead of betting on a single weakness, the malware can pursue credential-based decryption and offline wallet database recovery, or it can aim at social engineering and application replacement—two methods that can operate even if one fails.

Wallet targets: from desktop software to hardware app companions

According to SlowMist, the malware targets both common software wallets and applications associated with hardware wallets. On the software side, it names Exodus, Atomic, Electrum, Wasabi and Monero. On the hardware side, it includes Ledger Live and Trezor Suite—suggesting the malware aims to compromise not only keys stored by desktop apps, but also the companion software environments used to interact with hardware wallets.

SlowMist also says the malware searches for wallet data stored by full-node clients. It lists Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core as examples, implying that systems running these services may contain wallet-related data that the attacker can harvest.

This breadth means affected users may not realize they are at risk simply because they don’t use one of the “headline” wallets. Anyone who stores wallet data locally, uses wallet-related companion apps, or keeps backups and recovery material on the same device could be exposed depending on what the malware detects and copies.

Two ways attackers can turn stolen data into theft

SlowMist describes two primary endgame strategies after the data theft phase.

First, attackers can attempt to decrypt stolen wallet databases offline using passwords taken from the infected device. If the malware successfully extracts the credentials needed to unlock local wallet storage, offline decryption reduces the attacker’s dependence on live access or additional compromise steps.

Second, SlowMist says attackers may replace legitimate Ledger and Trezor applications with fake versions designed to trick users into entering recovery phrases. This shifts the attack from purely technical compromise to user deception, leveraging the fact that many users will naturally follow prompts in trusted-looking wallet software.

SlowMist states that it reproduced the full attack chain in an isolated environment, supporting the firm’s characterization of how the different components can work together—from data collection through to potential wallet manipulation.

What users should do if they suspect compromise

SlowMist urged users who suspect their devices have been compromised to take immediate containment steps. The firm recommends terminating existing Telegram Desktop sessions, establishing a new trusted login, and then changing both the Telegram two-step verification password and the Telegram Desktop Passcode.

For wallet security, SlowMist advises users to generate a new recovery phrase on a clean device and move all assets to new addresses. The underlying logic is straightforward: if a recovery phrase or wallet database may be recoverable by an attacker, treating existing addresses as potentially compromised helps reduce the chance of future unauthorized access.

Given the malware’s emphasis on authenticated sessions and local credential harvesting, the safest remediation tends to focus on “breaking the chain” on the infected device—re-authenticating critical services and rebuilding wallet access from a clean environment rather than attempting to patch individual components.

Going forward, investors and everyday users alike should watch for signs of Telegram session abnormality (unexpected activity, sudden device prompts, or account behavior) and treat any macOS security incident as potentially wallet-relevant. The key uncertainty remains how widely such malware campaigns are deployed in the wild—but SlowMist’s findings offer a clear blueprint for why device compromise, not just exchange security, can determine the outcome of a crypto theft attempt.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure





Source link

fiverr

Be the first to comment

Leave a Reply

Your email address will not be published.


*