Fake CAPTCHA attack targets crypto wallets on macOS
Security researchers at Malwarebytes warn that a new fake CAPTCHA scheme is targeting crypto users on macOS via a ClickFix social-engineering attack. The lure is a fake “Cloudflare CAPTCHA” page hosted on update-check[.]com. After the victim clicks the fake CAPTCHA, the page instructs them to open Terminal and paste a command that actually downloads and runs a hidden installer script.
Once executed, the malware contacts an attacker-controlled remote server to silently install an infostealer called “Infiniti Stealer.” Researchers say it’s delivered as a native macOS binary, making it harder to analyze and detect. The campaign can steal crypto wallet data, browser credentials, macOS Keychain secrets, plaintext developer files, and even screenshots taken during execution. It also attempts to evade analysis environments and sends stolen data to the attacker; credential candidates are queued for server-side cracking. Telegram notifications can be triggered when extraction is complete.
The report notes ClickFix attacks have been common on Windows but are now being adapted for Apple systems. It also cites prior macOS crypto malware activity, including “GhostClaw,” which disguised itself as an “OpenClaw” tool on npm. In that case, 178 developers downloaded the malicious package before it was removed.
Broader crypto-loss context: Chainalysis reports that personal wallet compromises rose from 7.3% of total stolen value in 2022 to 44% in 2024. In 2025, $3.4B was stolen across the industry; personal-wallet hack impact could have reached 37% in 2025 without the outsized effect of the Bybit-related incident.
For traders, this fake CAPTCHA threat is primarily a security/risk factor. It may increase anxiety around self-custody and wallet hygiene, but it’s not a direct protocol or macro catalyst.
Neutral
This news is primarily an end-user security incident, not a change to any blockchain’s fundamentals, token emissions, or market liquidity. Historically, when major wallet-theft headlines emerge, they can cause short-term risk aversion among retail/self-custody users (heightened caution, more defensive positioning, more wallet/approval review), but they rarely create sustained price trends unless the incident reaches an exchange/protocol level.
The key market-relevant angle is the emphasis on personal wallet compromises rising (7.3% in 2022 to 44% in 2024) and the scale ($3.4B stolen in 2025). That pattern is consistent with prior security waves—typically leading to temporary increases in volatility around “hot wallets,” token bridges, and custody services, followed by normalization once immediate fallout is priced.
In the short term, traders may see marginal sentiment pressure (neutral-to-bearish tone in social metrics), especially for coins frequently associated with self-custody attention. In the long term, the market effect should be limited: unless further details reveal systemic compromise affecting large holders or major exchanges, price action is likely driven more by macro/liquidity factors than by this fake CAPTCHA campaign.