Stay connected with KayaToday, follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
Two-step verification is supposed to be the safety net. The problem is that a newly documented macOS malware does not bother trying to break through it. Instead, it simply walks around it, stealing the authenticated session that already exists on your device and replaying it elsewhere. Blockchain security firm SlowMist published findings this week detailing an information-stealing malware for macOS that can hijack Telegram Desktop sessions and compromise a wide range of cryptocurrency wallets in a coordinated, multi-stage attack.
The implications are significant for anyone who stores crypto on a Mac and uses Telegram, which remains one of the dominant messaging platforms in the crypto community across Southeast Asia and globally. The attack does not require a user to click a phishing link at the moment of compromise or enter credentials into a fake site. Once the malware is on the machine, it works quietly through what is already there.
How the Attack Chain Actually Works
SlowMist confirmed it reproduced the full attack chain in an isolated environment, which gives the findings credibility beyond theoretical vulnerability disclosure. The malware operates in coordinated stages rather than as a single blunt instrument.
First, it harvests data broadly: passwords from the macOS Keychain, cookies from Safari, content from Apple Notes, and session data from Telegram Desktop. It also sweeps databases associated with more than a dozen cryptocurrency wallets. That initial harvest gives attackers both credentials and authenticated state.
The Telegram hijack is particularly notable because of how it sidesteps a security control that most users believe protects them. When SlowMist researchers restored stolen Telegram Desktop session data onto a separate Mac, they were able to access the account without entering a phone number, a verification code, or a two-step verification password. The reason is straightforward: the malware does not attempt a new login. It copies the existing authenticated local session and reuses it. Telegram’s two-step verification is designed to block new logins, not to invalidate sessions that are already authenticated on a device.
On the wallet side, attackers have two main paths available after the initial data collection. They can attempt to decrypt stolen wallet database files offline, using the passwords already harvested from the infected machine’s Keychain. Alternatively, the malware can replace legitimate Ledger Live or Trezor Suite applications with fake versions designed to prompt users into typing their recovery phrases, which are then captured. Either path leads to the same outcome: full access to funds.
Which Wallets Are in the Crosshairs
The malware’s target list covers a broad sweep of the crypto wallet ecosystem. On the software side, SlowMist identified Exodus, Atomic, Electrum, Wasabi, and Monero wallets as targets. Hardware wallet applications, specifically Ledger Live and Trezor Suite, are also in scope through the fake-app substitution method described above.
The malware goes further still, searching for wallet data held by full-node clients including Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core. That last category is relevant to more technically sophisticated users who run their own nodes, a group that might reasonably assume they are better protected than average. The breadth of the target list suggests the malware was built with deliberate comprehensiveness rather than opportunism.
The combination of software wallet database theft, hardware wallet application spoofing, and full-node data harvesting into a single coordinated package is what makes this threat more serious than a typical infostealer. Attackers can pursue whichever compromise method is most viable given what they find on a specific device.
What Affected Users Should Do Right Now
SlowMist issued specific remediation guidance for users who suspect their devices may have been compromised. The steps are sequential and each one matters.
For Telegram, users should immediately terminate all existing active sessions through Telegram’s settings, then establish a fresh trusted login from a clean state. After that, both the Telegram two-step verification password and the Telegram Desktop Passcode should be changed. Changing the passcode alone is insufficient if active sessions from the compromised device remain open elsewhere.
For cryptocurrency holdings, SlowMist’s recommendation is more drastic but appropriate given the risk: generate a completely new recovery phrase on a device that is known to be clean, then transfer all assets to the new addresses derived from that phrase. Any wallet whose seed phrase may have been exposed, either through database decryption or through a fake Ledger or Trezor application, should be treated as fully compromised. Funds remaining in those wallets are at risk for as long as they stay there.
For Malaysian and Singaporean crypto holders, the practical takeaway is that macOS is not inherently safer than other platforms when it comes to targeted malware, a misconception that persists in some circles. The Securities Commission Malaysia and the Monetary Authority of Singapore have both emphasised user-level security hygiene in their broader digital asset guidance, and this attack is a concrete illustration of why that guidance exists.
The deeper issue this attack surfaces is the gap between what users believe their security measures protect and what those measures actually cover. Two-step verification is a meaningful control for blocking unauthorised new logins. It was never designed to invalidate sessions that a device has already authenticated. Malware that understands this distinction and exploits it is more sophisticated than the average credential-stealer, and it demands a correspondingly more thorough response from anyone who may have been exposed.
Read More: Aave’s Avalanche Move Is About More Than a New Chain. It’s a Bet on Tokenized Credit