Security researchers have linked a fresh macOS malware campaign to the Lazarus Group, the North Korea-linked hacking outfit responsible for some of the crypto sector’s most consequential losses. The campaign, tracked by researchers as the Mach-O Man kit, is deployed through the ClickFix social-engineering framework that targets a broad spectrum of firms, including crypto companies.

According to Mauro Eldritch, an offensive security expert and founder of threat-intelligence outfit BCA Ltd., the Mach-O Man campaign leverages convincing calls to lure victims into executing commands that quietly pull down the malware in the background. The tactic enables attackers to bypass conventional security controls and slip into credentials and broader corporate environments, a pattern documented in a Tuesday report that cites the Any.run macOS analysis sandbox as a primary source of insight.

The operation culminates in a stealer payload designed to harvest a wide range of sensitive data, from browser extension data and stored credentials to cookies and macOS Keychain entries. Once collected, the information is zipped and exfiltrated through Telegram, after which the toolkit performs a self-deletion routine using the system rm command to erase traces without requiring user confirmation.

The emergence of Mach-O Man fits into a broader narrative around Lazarus’ evolving targeting beyond purely crypto-native incidents, underscoring the risk to corporate networks and supply chains alike. The group has long been associated with some of the industry’s largest heists, including the $1.4 billion attack on the Bybit exchange in 2025, cited as the era’s largest cryptocurrency breach to date.

For context, researchers emphasize that Lazarus has continued to widen its toolkit and attack surface in recent months. In April, the group was tied to AI-enabled social-engineering campaigns that breached Zerion by gaining access to team members’ sessions, credentials and private keys. The Zerion incident illustrated how attackers can blend social engineering with credential theft to reach privileged accounts and sensitive assets. Further coverage on that event is available from Cointelegraph.

Key takeaways

• Mach-O Man, a macOS malware kit attributed to Lazarus by researchers, is distributed via ClickFix social-engineering campaigns that reach traditional businesses and crypto firms alike.
• The final payload acts as a stealer, extracting browser data, credentials, cookies and macOS Keychain entries, with data zipped and exfiltrated through Telegram before the kit self-destructs using rm to erase traces.
• Victims are lured into fake Zoom or Google Meet calls, where they are prompted to run commands that trigger malware installation and deeper access, bypassing typical endpoint protections.
• The Lazarus operation continues to broaden its target scope beyond crypto-native companies, aligning with broader industry observations of the group’s expanding playbook and infrastructure access.
• Contextual benchmarks include the Bybit hack in 2025 and the Zerion breach in April, illustrating a pattern of high-stakes intrusions that blend phishing, social engineering and credential theft.

Mach-O Man: unraveling the attack sequence

At the core of the Mach-O Man campaign is a staged social-engineering flow centered on convincing calendar invites for popular virtual-meeting platforms. Victims receive a prompt that resembles a legitimate meeting notification, prompting them to join a so-called “Zoom” or “Google Meet” session. In the guise of a routine setup, victims are then steered to execute commands that quietly download and install the Mach-O Man components in the background. This stealthy delivery pathway helps attackers sidestep many traditional controls and allows credential harvesting to proceed with limited user friction.

Once the stealer is deployed, the toolkit targets data of high value to attackers. It raids browser extension data, stored credentials, cookies and Keychain entries, among other sensitive locally stored information. The extracted material is packaged into a zip archive and sent to the operators via Telegram, a channel chosen for its speed and relative resilience against standard enforcement actions. Following data exfiltration, the malware deploys a self-deletion routine, removing the entire kit from the host using the rm command—effectively leaving minimal traces and complicating post-incident forensics.

Context and implications for the crypto security landscape

The Lazarus Group’s alleged involvement in Mach-O Man extends a well-documented pattern of sophisticated, long-running campaigns that intensify the risk profile for crypto firms and their ecosystems. The group has become a persistent thorn in the side of exchanges, wallet providers and project teams, with past operations demonstrating a capacity to scale beyond traditional targets and adapt to evolving defense postures.

Bybit’s stunning $1.4 billion breach in 2025 stands as a benchmark for the scale of Lazarus-driven intrusions, underscoring not only the capital at risk but the potential for cascading effects across liquidity, market making and user trust. In parallel, the Zerion incident in April showcased how AI-augmented social engineering can accelerate the theft of credentials and private keys by exploiting legitimate team workflows and authorized sessions. The combination of social engineering with credential access remains among the most challenging vectors for defenders to preempt, particularly on macOS environments where threat actors have previously found gaps in application controls and user vigilance. Related reporting on Lazarus-linked activity continues to surface across industry coverage.

Defensive lessons and what to watch next

Mach-O Man reinforces the need for macOS-specific defense postures that blend user-education, application-control policies and robust-measurement of endpoint behavior. Key mitigations include enforcing least-privilege execution, deploying application allowlists, monitoring for anomalous download-and-execute sequences triggered from trusted apps, and tightening the wing of endpoint detection to catch command-and-control-like behaviors associated with staged infection chains. Given that the exfiltration route leverages Telegram, security teams should review outbound intelligence on uncommon channels used for data transfer and consider network-level constraints that challenge rapid egress of sensitive information.

For practitioners, the takeaway is clear: even as crypto-specific threats remain high-profile, attackers are expanding their targeting to encompass traditional businesses and cross-sector networks. This broadening of Lazarus’ reach increases the potential attack surface for exchanges, custodians and infrastructure providers alike, reinforcing the case for comprehensive, cross-platform threat intelligence integration and rapid response playbooks that can pivot as new malware kits surface. Any.run analysis provides a technical backdrop for understanding the Mach-O Man kit’s behavior and evolution.

As the industry absorbs these developments, observers will be watching for how defenders adapt to macOS-focused campaigns and whether new variants of Mach-O Man emerge with enhanced evasion techniques or more aggressive data-collection capabilities. The convergence of social engineering, credential theft and automated self-deletion marks a troubling trend—one that demands renewed emphasis on user education, secure access controls and vigilant incident-response strategies.

Readers should keep an eye on any updates about Lazarus’ tactics across platforms, especially as security teams track potential shifts in the group’s tooling, command channels and preferred data-exfiltration methods. The coming weeks may reveal whether Mach-O Man is a standalone spike or part of a broader, ongoing shift in the threat landscape facing the crypto ecosystem.

Ethereum price news on April 22 handed the bulls their sharpest read in months. Bitmine Immersion Technologies disclosed a 4.98 million ETH treasury worth roughly $11.5 billion with 101,627 tokens bought last week alone, the heaviest seven day stack of 2026 per CoinDesk, while ETH is marked at $2,410 with a 4.38% 24 hour gain.

Institutional treasuries stacking while the price reclaims levels is the footprint that has preceded every historic leg higher on ETH. Yet while most of the order book watches the $2,410 grind, $9.29 million is already inside a presale directed by the builder of the original Pepe with a confirmed Binance listing ahead, and Pepeto is the rare setup layering real utility onto the viral meme coin energy ETH no longer carries.

Bitmine chairman Tom Lee flagged clear evidence that the recent crypto correction is closing, citing ETH’s rebound and broader tape strength, per CoinDesk. The 101,627 ETH accumulated last week pushed the firm’s stack to 4.98 million tokens, roughly 4.12% of Ethereum’s 120.7 million supply, with 3.33 million of those tokens staked through the MAVAN validator infrastructure.

Spot ether ETFs strung together five positive sessions this week per CoinMarketCap as the Fear and Greed Index lifted to 33 from 29. Every prior Ethereum bull cycle launched on this profile, with corporate treasuries quietly soaking up supply while retail focus sat on other names.

Ethereum Price News Meets Pepeto: A Presale Carrying Viral Meme Lineage

Pepeto: Live Exchange Tools Paired With 100x Arithmetic and Pepe Bloodline

Bull markets on ETH consistently lift memecoins, and presale tickets ride the hardest. ETH near $2,410 is firm with 219% of upside to the Standard Chartered $7,500 mark, but a measured climb and a 100x listing day outcome sit in completely different categories.

Pepeto fills that gap. The exchange is running while round pricing holds, so wallets funding today enter live software the same hour the ticket clears. Swaps carry no fees across supported tokens, and token transfer between Ethereum, BNB, and Solana costs zero when pushed through the cross chain router.

All tools inside the platform are active now, well ahead of listing day. The builder who guided Pepe to its $11 billion cycle peak on raw community momentum leads the project alongside a SolidProof cleared code stack and a booked Binance listing. Ethereum’s own 2014 crowdsale priced ETH near $0.31 and converted early buyers into millionaires over the cycle that followed. Pepeto carries that same early stage profile, now paired with the viral meme DNA ETH itself never had.

Staking pays 179% APY on compounding cycles, and with $9.29 million committed at $0.0000001865, every stage tightens the window. The second trading opens, today’s level vanishes.

Ethereum (ETH) Price Holds $2,410 as Bulls Reclaim $2,400 and Memecoins Queue to Outpace Majors

Ethereum (ETH) is marked at $2,410 on April 22 per CoinMarketCap, a 4.38% 24 hour gain after the chart reclaimed $2,400 on fresh corporate demand. ETH is carving higher lows above the $2,200 zone per ZebPay analysis. A confirmed break over $2,400 opens $2,500, then $3,200, and places the Standard Chartered $7,500 target inside practical reach.

$2,200 anchors the technical base, with a rising trendline from the $1,800 low still intact. Across every prior cycle where ETH cleared a one month peak, memecoins and presales stacked multi x moves on top.

Even a clean run to $7,500 caps ETH gains at 219% across several months, while presale pricing in fractions of a cent maps a different multiplier when the rotation fires.

Closing Thoughts

Ethereum price news now places ETH above $2,410 with Bitmine absorbing 101,627 tokens in one week and corporate treasuries giving the chain a real structural bid, the sharpest read the network has seen in months. From a $285 billion asset, that upside is meaningful for patient books but nothing close to the magnitude that redraws a wallet.

Pepeto is the separate trade because a live exchange paired with round stage pricing produces what ETH at this scale cannot reproduce, and that is precisely why $9.29 million landed inside the round while the rotation was still forming, capital that read the listing outcome long before the wider crowd filed in.

That same pattern is the one Ethereum buyers who entered at $0.31 in 2014 followed, walking out with seven figure positions by the 2021 cycle. Pepeto is where that profile gets built this cycle, with the Pepe builder at the helm, real meme energy wired in, and a Binance listing already booked. Rounds are closing out fast, and every hour that ticks against the bell tightens the window before this entry disappears.

Click To Visit Pepeto Website To Enter The Presale

FAQs

What signal is Ethereum price news flashing for ETH in April 2026?

Ethereum price news shows ETH marked at $2,410 after reclaiming $2,400 on April 22, while Bitmine reported a 4.98 million ETH treasury worth $11.5 billion with 101,627 ETH bought last week per CoinDesk. Spot ETH ETF flows ran positive for five straight sessions per CoinMarketCap.

Which is the top crypto to buy with proven utility and viral meme energy right now?

Pepeto is the top crypto to buy today because the project runs a live SolidProof cleared exchange with zero fee swaps and a cross chain router, built by the Pepe builder. The round pulled $9.29 million at $0.0000001865 with 179% APY staking and a booked Binance listing ahead.

Disclaimer: This is a Press Release provided by a third party who is responsible for the content. Please conduct your own research before taking any action based on the content.

Blockstream CEO Adam Back, the British cryptographer and inventor of Hashcash, said it’s “flattering” that people think he’s Satoshi Nakamoto and was probably the result of his being a little too “talkative” on the cypherpunk mailing list that started it all. 

Back was speaking in a fireside chat with Cointelegraph at the recent LONGITUDE event in Paris, co-hosted by crypto exchange OKX, with discussions centered on crypto regulation, market structure and the growth of stablecoins.

Adam Back denies renewed suggestions that he invented Bitcoin

“It is flattering in some sense that they think you could have done it,” Back told Cointelegraph, reflecting on the widely publicized New York Times article on April 8 that suggested he is Satoshi, a claim he has denied. 

Back said there is a logical reason people think he’s Bitcoin’s creator. “The problem for me is I was very talkative on the mailing list,” he said, referring to the 1992 Cryptography Mailing List, where Satoshi later introduced the Bitcoin white paper in October 2008.

“So anytime anyone was talking about electronic cash, I was right there, I was the reply guy with something to say about it,” he said. 

Back said the mystery behind Satoshi is an “interesting question” that he and others in the industry have pondered but never answered.

Prior to the fireside with Back, the event also featured three panels covering the role of traditional financial institutions in Web3, the need for clearer regulation and the pace of stablecoin adoption, alongside a separate fireside chat with OKX Europe CEO Erald Ghoos.

MiCA is “extremely beneficial,” but brings risks to innovation

Crypto industry executives said recent moves to regulate the industry have been positive for improved clarity, but regulatory fragmentation and overregulation could hurt innovation. 

In an onstage interview, Ghoos shed light on the Markets in Crypto-Assets (MiCA) regulation, a framework with which OKX Europe was deemed fully compliant in January 2025.

“I think MiCA is extremely beneficial for the industry,” Ghoos said, explaining that it has helped to build trust in crypto. 

“Now it is a fully regulated asset class, which is very important,” Ghoos said, adding that industry participants will be “vetted and held up to the highest standards.”

However, he warned that the “regulatory burden” could slow innovation across Europe.

“Right now, because there is such a big and heavy regulatory overhead for startups, I do fear even more that the innovation and the great entrepreneurship that we have in Europe will start to shift to other jurisdictions around the world,” he said.

CertiK CEO Ronghui Gu said the lack of a unified global framework is a pain point for the industry.

“For developers, for crypto companies in different regions, they are still under different compliance frameworks,” Gu said. 

Commenting on the proposed US CLARITY Act, which has been delayed largely because of unresolved issues around stablecoin yields impact on the banking system, Gu said that while the bill aims to bring structure, “many terms are not that clear to be honest, and a little bit vague.” 

“I think different firms have different interpretations and so on,” he added.

“But I would say it definitely gives a much more friendly environment to crypto companies, to developers,” he added.

Cardano Foundation CEO Frederik Gregaard said he is “very confident” the CLARITY Act will pass soon, adding: “You feel the vibration from the policymakers saying we are going to adopt this,” he said.

“They are super stoked about it,” Gregaard added.

“When this passes, from the non-TradFi adoption, you are going to see 100X,” Gregaard said, arguing that “classical industries” have been waiting for clarity before embracing the technology.

US Senator Thom Tillis of North Carolina said on Monday that he does not expect the Senate Banking Committee to mark up the legislation, also known as the CLARITY Act, in April and has recommended that Senate Banking Chair Tim Scott schedule it for next month.

Payments industry does a good job of “almost faking” real-time payments

Mastercard’s senior vice president for blockchain and digital assets, Christian Rau, said that stablecoins are “very well suited for payment purposes” during a panel with Stella Development Foundation chief business officer Raja Chakravorti and Ethereum Foundation enterprise lead Matthew Dawson.

“They don’t come with the volatility of other digital assets, given that they enjoy regulatory clarity in a lot of the world,” Rau said.

Rau said the traditional payments industry does a “good job of almost faking real-time payments.”

“When I tap my card, it says transaction approved or payment made…it’s authorization, clearing, and settlement,” he said.

“A lot of the things that work arguably very well today, they still come with time delays, costs, and so forth,” he added.

Related: How Mastercard plans to settle card payments with stablecoins

Meanwhile, Stella Foundation’s Chakravorti pointed to the roughly $317 billion in stablecoin circulation, which is up about 50% from last year, adding that he is starting to see some short-term cooling.

“Although to be clear, over the last two quarters, that’s started to slow down a little bit,” calling it a positive sign as it suggests parts of the underlying infrastructure are starting to mature.

“I think this next transition is local stablecoins, because people are now very focused on creating that opportunity in their economy as super important,” he said.

Chakravorti pointed to the “last mile” as one of the biggest hurdles for adoption, referring to the challenge of turning digital assets into something “workable” inside local financial systems.

“I think it is the absolute key, ultimately, that is where all the friction lies within this system,” he said.

Magazine: Adam Back says current demand is ‘almost’ enough to send Bitcoin to $1M