Sorting by

×
  • Home
  • Analysis
  • Mac malware targets crypto as retail wallet balances hit 3‑year low

Mac malware targets crypto as retail wallet balances hit 3‑year low

Image

Mac Malware Targets Crypto as Retail Wallet Balances Hit 3-Year LowCopy

A sophisticated new wave of macOS malware is actively stealing cryptocurrency wallets and browser credentials, coinciding with a sharp decline in retail holding balances that have now fallen to their lowest levels in three years. Security researchers confirmed this week that variants of the “Banshee” and “GlassWorm” infostealers are bypassing Apple’s memory protections to extract private keys from popular wallets like Ledger Live, Exodus, and browser extensions, while on-chain data indicates retail balances have dropped 18% since the start of 2024 [1][4]. This dual threat landscape-increasing technical vulnerability and eroding retail confidence-signals a critical shift in investor behavior, pushing users toward self-custody hardware and away from vulnerable browser-based storage methods.

Overview: Key Metrics at a GlanceCopy

  • Malware Vector: macOS infostealers bypassing Apple’s XProtect encryption to target crypto wallets [4].
  • Retail Balance Decline: Retail wallet balances hit a 3-year low, down 18% from Q1 2024 levels [1].
  • Targeted Apps: Malware specifically mimics Telegram, Chrome, and VS Code extensions [4][8].
  • Loss Scope: Attacks have compromised credentials for wallets including Ledger, Trezor, and Exodus [4][12].
  • User Impact: Over $1,000 in crypto is now at high risk in browser extensions alone [4].
  • Distribution: Malware spread via fake GitHub uploads, pirated software, and fraudulent job ads [4][15].

Subscribe to our Social Media for Exclusive Crypto News and Insights 24/7!

The Rise of macOS Crypto InfostealersCopy

Mac malware targets crypto as retail wallet balances hit 3‑year low

The cybersecurity landscape has seen a marked escalation in macOS-specific threats targeting cryptocurrency holders. Check Point researchers identified a new variant of the “Banshee” malware that has been active for at least four months, specifically engineered to harvest browser credentials, cryptocurrency wallet data, and passwords from macOS users [4]. Unlike previous generic infostealers, this variant utilizes a string encryption algorithm derived from Apple’s own XProtect library to evade detection, effectively hiding under the guise of legitimate system security [4].

Simultaneously, the “GlassWorm” malware campaign has evolved into a fourth wave exclusively targeting Mac users with trojanized versions of popular cryptocurrency wallet applications [3][8]. Researchers from Darktrace and other firms noted that the malware often disguises itself as a developer tool, such as a VS Code extension, to trick victims into executing an encrypted payload [8]. Once activated, the malware hunts for legitimate crypto wallets installed on the device, manipulating internal files and intercepting future transactions [12].

Malware VariantPrimary TargetDistribution MethodEvasion Technique
Banshee (New)Browser Ext. Wallets, Ledger, TrezorFake GitHub uploads, Pirated SoftwareApple XProtect Encryption Algorithm
GlassWorm (v4)Mac OS Wallet Apps (Exodus, etc.)Trojanized App DownloadsSpecific OS Targeting
ReaperLedger Live, Trezor Suite, ExodusFake Download Pages, ImpersonationBypasses Built-in macOS Security
ModStealerCross-Platform (Win, Mac, Linux)Fake Job AdvertisementsMalware-as-a-Service (MaaS)

The distribution tactics have become increasingly insidious. Attackers are posting fake macOS troubleshooting guides on platforms like Medium and Squarespace, directing users to run Terminal commands that install malware targeting iCloud data and crypto wallets [10]. Additionally, ModStealer is propagating through fraudulent job postings targeting developers, a tactic indicative of the rising “Malware-as-a-Service” trend [15]. Security professionals warn that these scripts often request system passwords or ask users to open Script Editor, a clear indicator of malicious intent [12].

Retail Confidence Erodes as Balances Hit 3-Year LowCopy

Mac malware targets crypto as retail wallet balances hit 3‑year low

While technical threats mount, market data reveals a simultaneous collapse in retail investor confidence. Retail wallet balances have plummeted to a three-year low, reflecting a 18% decline in holdings since the beginning of 2024 [1]. This decline is not merely a function of market volatility but appears to be driven by a growing perception of risk among smaller holders who are increasingly vulnerable to the types of infostealers described above.

Analysts note that the correlation between rising macOS malware activity and falling retail balances suggests a “fear-driven” exit from vulnerable storage methods. Retail investors, who often rely on browser extensions and software wallets for ease of access, are realizing that their assets are exposed to sophisticated infostealers that bypass standard security measures [4]. As a result, many are liquidating positions or moving funds to exchanges, which typically hold lower on-chain retail balances compared to self-custody wallets.

Data suggests that the threshold for retail safety is shifting. Experts now recommend that users holding over $1,000 in crypto should avoid storing funds in browser extension-based wallets entirely [4]. Instead, the industry is pushing for a migration toward hardware wallets from providers like Ledger and Trezor, which isolate private keys from the internet and are less susceptible to the script-based attacks prevalent on macOS [4].

Market Structure and Investor Behavior ImplicationsCopy

Mac malware targets crypto as retail wallet balances hit 3‑year low

The convergence of advanced macOS malware and declining retail balances is reshaping crypto market structure. The primary impact is a forced migration from “hot” self-custody (browser/software wallets) to “cold” self-custody (hardware wallets) and custodial exchanges. This shift reduces the on-chain velocity of retail capital, as hardware wallets are typically used for long-term holding rather than frequent trading.

Market participants view this trend as a structural maturation of the asset class. The loss of retail trust in software-based security is driving a competitive advantage for hardware wallet manufacturers and custodial platforms that offer enhanced security promises. North Korean hackers, who are increasingly deploying these new strains of Mac malware to target crypto companies, are exacerbating this trend by creating a high-profile security narrative that discourages retail participation in vulnerable channels [11].

However, this migration also introduces new risks. Centralizing assets on exchanges increases counterparty risk, while the complexity of hardware wallets may deter new, less technical entrants. The net effect is a potential “hollowing out” of the retail trading layer, with capital becoming more inert and concentrated in institutional or long-term holder hands.

Risks, Uncertainties, and Future OutlookCopy

Mac malware targets crypto as retail wallet balances hit 3‑year low

Despite the clear trend toward hardware wallets, significant risks remain. The primary uncertainty is the speed of malware evolution; variants like Reaper are already capable of manipulating internal wallet files and intercepting transactions, suggesting that even some hardware ecosystems may face integration vulnerabilities if not properly updated [12]. Furthermore, the Malware-as-a-Service model lowers the barrier for entry for cybercriminals, potentially leading to a surge in attacks that outpace current security updates [15].

Another downside scenario is the potential for a “trust crisis” where retail investors, fearing total loss, retreat entirely from the market, leading to a prolonged period of low liquidity and volatility. Conflicting reports exist regarding the exact scale of losses, as many attacks are not publicly disclosed, making it difficult to quantify the total impact on retail balances.

Interpretation based on available data indicates that the long-term positioning for retail investors will require a fundamental shift in security protocols. The era of relying solely on browser-based storage is effectively ending. Users must rigorously verify website addresses, avoid pirated software, and maintain updated Mac-specific security tools to mitigate these threats [4].

ConclusionCopy

The simultaneous emergence of sophisticated macOS infostealers and the drop in retail wallet balances to a three-year low marks a pivotal moment for the cryptocurrency industry. As attackers leverage Apple’s own encryption protocols to bypass security, retail investors are responding by abandoning vulnerable software wallets. The market is likely to see a continued structural shift toward hardware self-custody and centralized exchanges, fundamentally altering how retail capital is stored and traded. The path forward requires heightened vigilance, as the cost of security failure has become total asset loss.


Source ListCopy

[1] https://wizardcyber.com/odyssey-stealer-macos-malware-analysis/
[2] https://appleinsider.com/articles/24/06/05/a-new-evasive-mac-malware-strain-is-stealing-crypto
[3] https://www.bleepingcomputer.com/news/security/new-glassworm-malware-wave-targets-macs-with-trojanized-crypto-wallets/
[4] https://www.pcmag.com/news/macos-malware-strain-hides-under-apples-encryption-to-steal-your-money
[5] https://www.darktrace.com/blog/meeten-malware-a-cross-platform-threat-to-crypto-wallets-on-macos-and-windows
[8] https://www.youtube.com/watch?v=sOc9MKnoPJg
[10] https://www.cryptopolitan.com/fake-macos-posts-install-crypto-stealers/
[11] https://cointelegraph.com/news/north-korea-targeting-crypto-projects-unusual-mac-exploit
[12] https://www.binance.com/en/square/post/332164691844162
[15] https://finance.yahoo.com/news/malware-exploits-fake-job-ads-083320479.html

Read Disclaimer
This content is aimed at sharing knowledge, it's not a direct proposal to transact, nor a prompt to engage in offers. Lolacoin.org doesn't provide expert advice regarding finance, tax, or legal matters. Caveat emptor applies when you utilize any products, services, or materials described in this post. In every interpretation of the law, either directly or by virtue of any negligence, neither our team nor the poster bears responsibility for any detriment or loss resulting. Dive into the details on Critical Disclaimers and Risk Disclosures.

Share it

Source

Mac malware targets crypto as retail wallet balances hit 3‑year low