macOS Malware Hijacks Telegram Sessions to Steal Crypto Wallets
Blockchain security firm SlowMist reports a macOS malware campaign that hijacks Telegram Desktop sessions and targets crypto wallets. The macOS malware steals credentials and harvests data from the victim’s macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop, and wallet-related databases.
After collecting passwords and authenticated session data, the macOS malware can copy Telegram Desktop session files, wallet databases, and browser wallet extension data. Attackers may then:
1) Decrypt stolen wallet databases offline using harvested passwords.
2) Replace legitimate Ledger and Trezor apps with fake versions to trick users into entering wallet recovery phrases.
SlowMist says the malware targets both software wallets (Exodus, Atomic, Electrum, Wasabi, and Monero wallets) and hardware wallet workflows (Ledger Live, Trezor Suite). It also searches for wallet data stored by full-node clients, including Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core.
A key finding is that Telegram two-step verification may not stop the attack. SlowMist attributes this to the malware reusing an already-authenticated local Telegram session rather than initiating a new login. In tests, researchers restored stolen Telegram Desktop session data on another Mac without needing a phone number, verification code, or 2FA password.
SlowMist recommends immediate actions if compromise is suspected: terminate existing Telegram sessions, create a new trusted login, change the Telegram 2FA password and Telegram Desktop Passcode, generate a new recovery phrase on a clean device, and move assets to new addresses.
Traders should treat this as heightened wallet/security risk rather than a direct protocol or exchange disruption.
Bearish
This is not a protocol exploit or an exchange outage, but it directly increases the probability of real user fund losses via account/session takeover and wallet database compromise. Historically, major wallet-draining malware (e.g., past credential-stealing campaigns targeting browser extensions, clipboard apps, or session tokens) tends to trigger short-term risk-off sentiment: traders rotate toward safer custody behaviors (hardware wallets set up cleanly, rotating recovery phrases, and address changes) and may see elevated volatility in the short run, especially in the coins most exposed through commonly used wallet interfaces.
In the long term, the impact is usually more about recurring operational security than fundamentals: if incidents spread widely, it can reduce retail confidence in self-custody workflows and increase demand for hardened wallet tooling and incident response. However, because this report is from a security firm and focuses on defensive guidance (session termination, recovery-phrase rotation), market stability can normalize once users take protective actions.
Net effect: bearish bias for sentiment and near-term volatility, but not a clear systemic market shock.