Crypto World

macOS Malware Hijacks Telegram Sessions to Target Crypto Wallets

Published

on

A macOS information-stealing malware can compromise Telegram Desktop sessions and, from there, target both software and hardware cryptocurrency wallets, according to blockchain security firm SlowMist. The report describes an attack chain that harvests credentials and wallet data from multiple macOS sources, then leverages that access to swap or drain funds through techniques that do not rely on breaking Telegram’s two-step verification in the usual way.

SlowMist says the malware extracts secrets from macOS Keychain, Safari cookies, Apple Notes, Telegram Desktop and database files tied to more than a dozen cryptocurrency wallets. After collecting passwords and authenticated session data, it copies Telegram Desktop session information along with wallet databases and browser wallet extension data, enabling follow-on account takeover attempts.

Key takeaways

  • SlowMist reports malware can hijack existing Telegram Desktop sessions on macOS by reusing authenticated local data rather than forcing a new login.
  • In addition to stealing passwords, the malware targets wallet databases and application data for both popular software wallets and hardware wallet managers.
  • Telegram two-step verification may not block the attack because the malware avoids the need to pass verification challenges.
  • SlowMist outlines two follow-up strategies: offline wallet database decryption using harvested passwords, or replacing wallet apps (e.g., Ledger/Trezor software) with decoys to capture recovery phrases.

How Telegram Desktop becomes the entry point

SlowMist’s core warning is that Telegram Desktop accounts on macOS may be compromised even when users have enabled two-step verification. The reason, the firm says, is architectural: instead of creating a fresh login that requires verification, the malware reuses an already authenticated local session stored on the device.

In its tests, SlowMist restored stolen Telegram Desktop session data on another Mac without requiring the user to enter a phone number, verification code, or two-step verification password. That distinction matters for users because two-step verification is designed to protect logins, while this method targets session material that can be carried over to a new environment.

The practical takeaway is that Telegram Desktop should be treated as a high-value target when credentials and session files are accessible to malware. If an attacker can move a session to another machine, subsequent steps—such as obtaining access to linked accounts, exchanging information, or guiding victims toward risky actions—can proceed without triggering the protections that apply to new authentication.

Advertisement

Wallet data theft spans software wallets, hardware managers, and node databases

SlowMist says the malware is not limited to Telegram. It also harvests wallet-related data from a wide range of sources, including wallet applications and full-node clients.

On the wallet side, SlowMist names software wallets such as Exodus, Atomic, Electrum, Wasabi and Monero. It also points to targeting hardware wallet software interfaces, including Ledger Live and Trezor Suite—software layers that manage hardware devices and frequently coordinate how users view balances and initiate transactions.

Beyond standalone wallets, the report says the malware searches for wallet data stored by full-node clients, listing Bitcoin Core, Litecoin Core, Dash Core and Dogecoin Core among those affected. For investors and traders, the implication is straightforward: wallet information does not only live in wallet apps. If malware can reach local storage associated with node software, it may uncover additional material that helps attackers attempt to access or reproduce wallet capabilities.

SlowMist also describes collecting data beyond wallet databases, including Safari cookies and Apple Notes. Those components can increase an attacker’s ability to persist access, understand user behavior, or extract sensitive information that is not stored in one dedicated wallet folder.

Advertisement

Offline cracking and fake recovery flows

After harvesting passwords and authenticated session data, SlowMist says attackers can attempt to decrypt stolen wallet databases offline. The attacker would use passwords taken from the infected device, reducing the need for repeated online attempts that might trigger rate limits or other defenses.

SlowMist also describes a second approach: replacing legitimate Ledger and Trezor applications with fake versions. In this scenario, victims could be tricked into entering recovery phrases into the counterfeit software—an especially dangerous outcome because recovery phrases are effectively “master keys” for accessing funds.

SlowMist states it reproduced the attack chain in an isolated environment, supporting its claim that the described steps can be executed together rather than as unrelated capabilities.

For users, the key risk is that wallet compromise can be multi-stage. Even if attackers initially acquire Telegram session access, the malware’s broader collection of wallet databases and application data can enable direct attempts to extract value or pivot to social engineering that captures recovery credentials.

Advertisement

Why Telegram’s usual protections may not be enough

SlowMist’s findings highlight a recurring theme in account takeover incidents: security features sometimes assume a specific threat model. Telegram two-step verification helps protect new logins, but the malware’s method—carrying over an authenticated local session—changes the conditions.

Instead of challenging the user during sign-in, the attacker operates with session data that the device has already established. That makes “I turned on 2FA” less reassuring when malware is already present and can read session-related files.

SlowMist also recommends immediate operational steps for anyone who suspects compromise. It urges users to terminate existing Telegram sessions, create a new trusted login, and update both the Telegram two-step verification password and the Telegram Desktop Passcode. Those steps aim to invalidate the hijacked session material and force Telegram to re-establish trust through a fresh authentication flow.

The firm further advises generating a new recovery phrase on a clean device and moving assets to new addresses. The goal is to break the link between the compromised wallet state and the assets that need protection. If wallet apps or recovery material were exposed, reusing the same recovery phrase after a compromise can leave funds vulnerable to attackers who already have enough information to regain access.

Advertisement

SlowMist’s report serves as a reminder that cryptocurrency security is not only about securing keys on paper or enabling 2FA on messaging apps. When malware can access both session data and wallet databases locally, protections must extend to device hygiene and rapid incident response. Users should watch closely for signs of compromise, verify which Telegram sessions remain active, and be prepared to move funds to fresh addresses after any suspected infection.

Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure

Source link

Advertisement

You must be logged in to post a comment Login

Leave a Reply

Cancel reply

Trending

Exit mobile version