SlowMist flags MacOS malware stealing crypto credentials to breach Telegram and wallets

SlowMist warns macOS malware can steal Telegram sessions, crypto wallet databases and recovery phrases through fake apps.
Table of Contents

TL;DR:

  • SlowMist identified macOS malware that can hijack Telegram Desktop sessions and compromise crypto wallets by harvesting Keychain data, Safari cookies, Apple Notes and wallet databases.
  • Attackers can reuse authenticated Telegram session data without fresh codes or two-step verification, then target wallets through offline decryption or fake Ledger and Trezor apps.
  • Users should terminate Telegram sessions, change passwords and passcodes, generate new recovery phrases on clean devices and move assets immediately.

A new macOS information-stealing campaign is sharpening a familiar lesson for crypto users: wallet security can fail before any blockchain transaction begins. SlowMist identified malware capable of hijacking Telegram Desktop sessions and compromising cryptocurrency wallets by harvesting data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases tied to more than a dozen wallets. The attack targets the user’s local trust layer, where saved passwords, authenticated sessions and wallet files can become enough for attackers to move from device access toward account takeover.

Telegram sessions become the attacker’s bridge to wallets

The malware does not rely on a single path. After collecting credentials and session data, attackers can copy authenticated Telegram Desktop sessions, wallet databases and browser wallet extension data, then attempt offline decryption using passwords stolen from the infected Mac. SlowMist also reproduced a second tactic: replacing legitimate Ledger Live and Trezor Suite applications with fake versions designed to trick victims into entering recovery phrases. The campaign combines credential theft with phishing infrastructure, making it dangerous even when private keys are not immediately exposed in plain text.

SlowMist identified macOS malware that can hijack Telegram

The Telegram angle is especially troubling because two-step verification may not stop the compromise. SlowMist’s testing restored stolen Telegram Desktop session data on another Mac without needing a phone number, verification code or two-step verification password. That means the attacker is not creating a fresh login. They are reusing a trusted local session already approved by the victim’s device. Session hijacking bypasses the comfort of login alerts, turning a compromised computer into a bridge for social engineering, account monitoring and follow-on wallet attacks.

The wallet list shows how wide the sweep is. The malware targets software wallets including Exodus, Atomic, Electrum, Wasabi and Monero, hardware wallet apps including Ledger Live and Trezor Suite, and full-node client data from Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core. For suspected infections, SlowMist recommends terminating existing Telegram sessions, creating a new trusted login, changing the Telegram two-step verification password and Telegram Desktop Passcode, then generating a new recovery phrase on a clean device and transferring assets to new addresses. The defensive takeaway is uncompromising, because once a Mac is infected, rotating passwords alone may not be enough to protect wallets, sessions and seed phrases during any serious wallet incident response.

RELATED POSTS

Ads

Follow us on Social Networks

Crypto Tutorials

Crypto Reviews