BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Bitcoin

MacOS Malware Bypasses Telegram 2FA to Targets Crypto…

How Does The MacOS Malware Compromise Crypto Users? A macOS information-stealing malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets by collecting passwords, au

AnonymousCryptoCompass newsroom
July 17, 2026
4 min read
NEWS
Hero article visual / chart / editorial image
CryptoCompass editorial visual for bitcoin coverage.

Desktop Crypto Wallet For ERC20 Tokens

How Does The MacOS Malware Compromise Crypto Users?

A macOS information-stealing malware can hijack Telegram Desktop sessions and compromise cryptocurrency wallets by collecting passwords, authenticated sessions, wallet databases and browser extension data from infected devices. The malware harvests data from the macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and databases linked to more than a dozen cryptocurrency wallets. After collecting the information, attackers can use stolen passwords and local session files to access accounts or attempt to unlock wallet databases offline. The attack is especially dangerous because it combines several methods in one chain. Instead of relying on a single wallet exploit, the malware collects anything that may help attackers move from device access to account takeover, wallet compromise or recovery phrase theft. That makes the threat broader than a standard password-stealing campaign. Crypto users often keep browser wallets, desktop wallets, hardware wallet apps, notes, seed phrase hints and messaging sessions on the same device. Once that device is infected, attackers may be able to connect those data points and build a path toward asset theft.

Why Are Telegram Sessions A High-Value Target?

The malware can copy authenticated Telegram Desktop session data, allowing attackers to restore the session on another Mac without going through the normal login process. In testing, stolen Telegram Desktop session data was restored without entering a phone number, verification code or two-step verification password. That means Telegram two-step verification does not fully protect users in this scenario. The malware is not creating a new login. It is reusing an already trusted local session. For crypto users, that creates a major risk because Telegram is widely used for exchange support, trading groups, project communities, OTC discussions and private wallet-related communication. If attackers gain access to an active Telegram session, they may be able to impersonate the victim, read private conversations, identify wallet holdings, target counterparties or push malicious links through a trusted account. The risk is not limited to the infected user. It can spread through professional networks and crypto communities that rely heavily on Telegram for real-time communication.

Investor Takeaway

The attack shows why crypto security cannot rely only on two-factor authentication or hardware wallets. If a trusted local device is compromised, attackers can target sessions, wallet files, passwords and recovery workflows at the same time.

Which Wallets And Applications Are Exposed?

The malware targets software wallets including Exodus, Atomic, Electrum, Wasabi and Monero. It also looks for data linked to hardware wallet applications such as Ledger Live and Trezor Suite. The campaign also searches for wallet data stored by full-node clients, including Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core. That wider targeting suggests attackers are not focused only on casual retail wallet users. They are also looking for users who run local wallet infrastructure or maintain older wallet databases on their machines. Once wallet databases are stolen, attackers can attempt to decrypt them offline using passwords harvested from the infected device. This is a critical risk because the attack does not need to break wallet encryption immediately on the victim’s machine. It can move the stolen files elsewhere and test passwords later. The malware may also replace legitimate Ledger and Trezor applications with fake versions designed to trick users into entering recovery phrases. That method targets the human recovery process rather than the hardware wallet itself. If a user enters a seed phrase into a fake app, the attacker can take control of the assets even if the hardware wallet was never technically broken.

What Should Compromised Users Do?

Users who suspect their device has been infected should treat the Mac as untrusted. The first priority is to terminate existing Telegram sessions, establish a new trusted login and change both the Telegram two-step verification password and Telegram Desktop Passcode. For wallet security, users should avoid entering recovery phrases, passwords or hardware wallet credentials on the affected machine. A new recovery phrase should be generated only on a clean device, and assets should be transferred to new addresses that were not created or managed on the compromised system. The incident also reinforces a broader operational lesson for crypto investors and firms. Sensitive wallet activity, exchange access, private messaging and recovery information should not all depend on a single everyday device. Segmentation matters. A separate clean device for wallet management, strict app verification, limited browser extensions and regular session reviews can reduce the damage from malware that reaches a primary workstation. For exchanges, wallet providers and institutional desks, the threat adds another reason to review endpoint controls around macOS devices. The attack chain does not rely only on crypto-native weaknesses. It uses local credentials, session files and user behavior. That places device security, staff training and recovery phrase handling at the center of digital asset risk management.