Back to News

New macOS malware hijacks Telegram and targets crypto wallets, risking funds

Security firm SlowMist says a new macOS malware campaign steals Telegram login details and tries to decrypt crypto-wallet private keys, while fake apps and update prompts trick users into giving up recovery phrases. A hijacked Telegram session can expose private messages and two-step verification codes, while a stolen recovery phrase lets attackers drain the crypto wallet from any device.
A new macOS malware campaign is actively stealing credentials to hijack Telegram sessions and decrypt cryptocurrency wallets, according to blockchain security firm SlowMist. The malicious software – discovered by the firm’s threat intelligence team – can also trick users into handing over their wallet recovery phrases through fake applications designed to look legitimate.

The attack works in two main ways. First, it captures Telegram login credentials stored on the infected Mac, giving attackers full control over a victim’s Telegram session. Second, it scans for installed cryptocurrency wallets and attempts to decrypt their private keys or seed phrases. If the wallet is not directly accessible, the malware displays fake update prompts or bogus wallet interfaces that ask the user to enter their recovery phrase. Once the attacker has that phrase, they can drain the wallet from any device.

Telegram is widely used in crypto trading communities for group chats, deal coordination, and even automated trading bots. A hijacked session allows an attacker to impersonate the victim, read private messages, and potentially access 2FA codes sent via Telegram. Combined with wallet access, this creates a dangerous one-stop shop for theft.

“The malware spreads through trojanized versions of popular macOS apps, often distributed via phishing links or unofficial download sites,” SlowMist said in its report. The firm identified fake versions of Telegram itself as a common vector, as well as counterfeit crypto wallet installers.

MacOS has historically been considered a safer platform for crypto users compared to Windows, but this campaign shows that assumption is no longer reliable. The malware targets both hot wallets (software wallets like MetaMask, Phantom) and any locally stored private key files. SlowMist noted that the crypting techniques used are sophisticated enough to bypass basic anti-virus scanners.

For traders and investors using macOS, the immediate takeaway is to verify the source of every download – especially for Telegram and wallet software. Storing seed phrases offline and using hardware wallets for large balances remains the strongest defense. SlowMist recommends enabling Telegram’s two-factor authentication with a strong password and reviewing active sessions regularly.

The full technical breakdown from SlowMist is available on their blog. Users who suspect infection should revoke all active Telegram sessions, transfer funds to a new wallet generated on a clean device, and run a full malware scan.

Related news