Crypto News

MacOS Malware Hijacks Telegram to Steal Crypto Wallets

📖 6 min de lecture MacOS Malware Hijacks Telegram Sessions to Target Crypto Wallets A new piece of malware targeting MacOS users has been discovered: it hijacks active Telegram sessions to steal cryptocurrencies from connected wallets. The alert comes from SlowMist, one of the most reputable blockchain security firms, which has published a detailed analysis...

⏱ 6 min read
⏱ 6 min de lecture
📖 6 min de lecture

MacOS Malware Hijacks Telegram Sessions to Target Crypto Wallets

A new piece of malware targeting MacOS users has been discovered: it hijacks active Telegram sessions to steal cryptocurrencies from connected wallets. The alert comes from SlowMist, one of the most reputable blockchain security firms, which has published a detailed analysis of this emerging threat.

How Does the Attack Work?

According to the SlowMist report, the malware exploits Telegram sessions that are already authenticated on infected machines. Telegram has become a central tool in the crypto ecosystem, used for discussion groups, information channels, project communities, and even some trading operations. By hijacking these active sessions, attackers can gain access to private messages, groups, and potentially intercept sensitive information related to crypto wallets.

The initial infection vector has not been detailed by SlowMist in its initial communications, but the researchers suggest that the malware spreads via malicious attachments, links inside Telegram messages themselves, or through compromised software downloaded outside Apple’s official App Store. Once installed, the malware runs silently in the background without arousing the user’s suspicion.

A Direct Threat to Cryptocurrency Holders

The particularity of this malware lies in its explicit targeting of crypto wallets. By taking control of Telegram sessions, attackers can monitor conversations where wallet addresses, API keys, or sensitive information are shared. Telegram bots used by many crypto projects for transaction notifications or price alerts are also vulnerable.

Users of so-called “hot wallets”—wallets connected to the internet—are the most exposed. Software wallets like MetaMask, Phantom, or Trust Wallet, often used in conjunction with Telegram groups, can see their information compromised if the malware collects seed phrases shared via the messaging app.

Why Telegram Is a Prime Target

Telegram occupies a unique place in the crypto ecosystem. With hundreds of thousands of active users in groups dedicated to cryptocurrencies, the platform has become a hub for information and coordination. Projects announce their developments there, traders share their analysis, and communities organize themselves.

This centralization makes Telegram a choice target for attackers. The malware does not target Telegram itself, but rather Telegram users who hold cryptocurrencies—a very specific population that can be highly lucrative for cybercriminals.

SlowMist, which has already documented numerous attacks in the blockchain ecosystem, emphasizes that this type of malware represents a significant evolution in threats targeting crypto users. Unlike generalist attacks, this malicious software is specifically designed to extract value from wallets connected via Telegram.

The Importance of Session Security

Active Telegram sessions are stored locally on the user’s device. Once an attacker gains access to them, they can maintain a persistent presence even if the user changes their password. This is why SlowMist’s discovery is particularly concerning: traditional security measures (changing the password, two-factor authentication) are not enough to neutralize an already compromised session.

The researchers recommend several protective measures: regularly check active sessions in Telegram settings, disconnect unknown sessions, and do not click on suspicious links even when they come from known contacts—whose accounts could be compromised.

History of MacOS Threats in Crypto

MacOS has long been considered safer than Windows for crypto activities, benefiting from a smaller user base and a reputed security architecture. However, recent years have seen a multiplication of threats targeting Mac users in the crypto space: fake mining software, fraudulent trading applications, and now malware targeting Telegram.

In 2024 and 2025, several strains of MacOS malware were discovered, targeting Exodus, Electrum, and Ledger Live wallets. The trend is accelerating with the rise of cryptocurrency adoption and the growing value of assets held by individual users. The larger the crypto market capitalization, the stronger the incentives for malware developers.

What to Do If You Are on MacOS?

For MacOS users who participate in Telegram groups related to cryptocurrencies, SlowMist recommends the following best practices:

First, check your active Telegram sessions. Open Telegram, go to Settings > Devices > Active Sessions. Disconnect any session you do not recognize or that comes from a device you no longer use. This check should be performed regularly, ideally every week.

Second, avoid sharing sensitive information related to your crypto wallets via Telegram. Public wallet addresses can be shared, but never seed phrases, private keys, or passwords. Use end-to-end encrypted channels for sensitive communications, and prefer physical storage media for seed phrases.

Third, keep your MacOS up to date with the latest security patches. Apple regularly releases updates that fix vulnerabilities exploited by malware. Enable automatic updates so you do not miss critical fixes.

Fourth, use a hardware wallet to store your important assets. Physical wallets like Ledger or Trezor sign transactions offline, making it impossible for malware on your computer to compromise them—even if your Telegram session is hacked.

Fifth, be particularly vigilant about the applications you install on your Mac. Favor the Mac App Store and official developer websites. Avoid cracked software or downloads from unverified sources, which constitute the most common infection vector for this type of malware.

The Crypto Community’s Response

SlowMist’s discovery has already begun circulating in crypto security circles. Several cybersecurity experts are calling for increased vigilance, reminding that the threat is not limited to MacOS or Telegram—other platforms and operating systems could be targeted by variants of this malware in the weeks to come.

The security teams of major crypto projects have been alerted and are working on implementing additional protective measures. Some projects are considering adding automatic warnings in their Telegram bots when phishing attempts or sharing of suspicious links are detected.

The crypto ecosystem remains attractive to cybercriminals because of the high value of assets and the irreversibility of transactions. Each new threat reminds us of the importance of individual security and user education on best practices. As SlowMist points out, the best defense remains a combination of vigilance, appropriate tools, and rigorous digital hygiene.

SlowMist’s full report is expected to be published shortly with more technical details on infection mechanisms and indicators of compromise (IoCs). In the meantime, caution is advised for all MacOS users active in the crypto ecosystem via Telegram.

📬

Get the weekly crypto briefing

Analysis, trends and opportunities — straight to your inbox.

📤 Partager
Share this article

Similar Posts

  • ⏱ 2 min de lecture Par La Rédaction Publié le 7 July 2026 Crypto News 📖 2 min de lecture Context: Why This Update Matters Now The crypto world moves fast, and consensus protocols like Stacks constantly adapt to meet growing security and reliability demands. The release of stacks-signer 3.4.0.0.4.0 comes at a strategic time,…

  • ⏱ 2 min de lecture Par La Rédaction Publié le 10 January 2026 Crypto News 📖 2 min de lecture The crypto market showed signs of recovery on January 2, 2026, with Bitcoin (BTC) rising 1.4% to $88,727.67 and Ethereum (ETH) reaching $3,000.42. This modest uptick marks a shift in sentiment after the New Year’s…

  • ⏱ 2 min de lecture Par La Rédaction Publié le 11 July 2026 Crypto News 📖 2 min de lecture Why This Update Matters Today The Bitcoin Core 30.3 release is not just a routine technical update. Amid a surge in cyberattacks targeting crypto infrastructure, every security improvement becomes critical. Published on March 28, 2025,…

  • ⏱ 2 min de lecture Par La Rédaction Publié le 11 July 2026 Crypto News 📖 2 min de lecture Unexpected Rebound in a Bearish Market While the crypto market experiences high volatility and a broad correction, Raydium AMM, a major decentralized finance (DeFi) protocol on Solana, has surprised investors with an impressive TVL (Total…

  • ⏱ 5 min de lecture Par La Rédaction Publié le 4 July 2026 Crypto News 📖 5 min de lecture Context: Why Kraken’s Announcement Matters in 2025 In a landscape where European institutions are desperately seeking compliant solutions under MiCA regulations, Kraken has made a major move. The launch of Trever, its prime brokerage platform…