They Don’t Need Your Password
A macOS information stealer can clone active Telegram sessions, pair stolen wallet files with saved passwords, and replace Ledger or Trezor software with phishing apps. It does not break trust. It carries it away.
A password protects a login. Two-factor authentication protects a new device. A hardware wallet keeps private keys away from the computer. All three controls are useful, and all three begin to lose meaning when the computer itself is already trusted.
That is the real story behind a newly analysed macOS information stealer investigated by blockchain security firm SlowMist. The malware is not built around a spectacular new cryptographic break. It does something more practical. It harvests the pieces of trust already stored across the victim’s Mac, takes them off the machine, and assembles them into several independent routes towards account takeover and asset theft.
The targets include the macOS Keychain, browser credentials and cookies, Apple Notes, active Telegram sessions, local data from 16 cryptocurrency wallet applications, and storage associated with hundreds of browser wallet extensions. In some cases, the malware carries away an encrypted wallet database and a collection of possible passwords so the attacker can test them offline. In others, it removes legitimate hardware-wallet software and replaces it with an identical-looking desktop application designed to capture the recovery phrase directly.
Most strikingly, it can copy an already authenticated Telegram session to another Mac. No phone number is entered. No SMS code is requested. The account’s two-step verification password is never challenged. The attacker is not breaking the login. The attacker is arriving with proof that the login has already happened.
This is not simply credential theft. It is the theft of the trusted device itself, reduced to a collection of portable files.
The Mac as a collection of spare keys
The attack begins by gathering anything that may unlock something else.
According to SlowMist’s technical reconstruction, the sample displays a fraudulent administrator prompt disguised as an update for a Google API connector. It does not merely accept whatever the user types. It checks the supplied password against the local macOS account, allowing the malware to confirm that it has captured the real system password before moving further into the machine.
At the same time, it searches for the Chrome Safe Storage key held in the macOS Keychain. That key can help decrypt browser login data and cookies collected from Chrome and other Chromium-based browsers. Firefox credential files are taken too. The malware also copies the user’s login Keychain and the local Apple Notes database, because a note containing a password, Telegram passcode, exchange recovery code or seed phrase is as useful to an attacker as any formal credential store.
None of these files necessarily gives the attacker everything. That is precisely why the malware collects all of them. A wallet database may be encrypted. A browser password may be irrelevant. A note may contain nothing sensitive. But once the attacker has the database, the browser vault, the Keychain, the cookies, the notes and the system password together, apparently separate fragments begin to function as a set.
The malware is not looking for one master key. It is stealing the entire key ring.
2FA is not broken. It is never asked
Telegram Desktop stays logged in by storing session material inside its local tdata directory. That material tells Telegram that this client has already been authorised. SlowMist copied the stolen session files into a compatible test environment and launched Telegram Desktop. The login screen did not appear. The client opened the test account and began synchronising its chat history despite two-step verification being enabled.
This needs to be described accurately. The malware does not crack Telegram’s two-step verification password and it does not defeat the cryptography protecting a new login. It restores an existing authorisation, so the new-login controls never enter the process.
SlowMist also found that the restored session did not consistently appear as an obvious newly authorised device during its tests. The session could be converted into a programmable Telegram API session, allowing intermittent access to conversations and message sending without maintaining a noisy permanent connection. Server-side anomaly detection may eventually limit or invalidate a stolen session, but it does not make the copied session harmless in the meantime.
The native Telegram for macOS client was vulnerable to the same broad form of session reuse in SlowMist’s testing. Even after suspicious behaviour restricted a copied client’s ability to send and receive new messages, locally cached chat history remained readable.
For a private user, that is an invasion. For a project team, trading desk, DAO or development group, it is an intelligence breach. One compromised machine can expose private discussions, internal files, counterparties and the context required to impersonate trusted people convincingly. Telegram can secure its servers and still lose the room through a laptop already invited inside.
Carrying away the safe
The wallet operation follows a different route.
The malware searches for local data belonging to 16 applications. The list includes Electrum, Coinomi, Exodus, Atomic, Wasabi, Monero, Electrum LTC, Electron Cash, Guarda and Sparrow; the Bitcoin, Litecoin, Dash and Dogecoin Core clients; and the Ledger Live and Trezor Suite companion applications. It also checks browser profiles against a built-in list of 223 wallet-related extension identifiers.
Stealing an encrypted wallet database is not the same as obtaining its recovery phrase. SlowMist makes that limitation clear. But encryption works rather differently once the attacker can take the database away and test passwords against it indefinitely, beyond the view of the victim and without rate limits imposed by the original application.
In an isolated reproduction using Atomic Wallet, SlowMist paired the copied database with passwords gathered from the Mac. One of those candidates successfully decrypted the material required to control the wallet’s assets. The wallet’s cryptography had not failed. The attacker had stolen the safe and then found the right key elsewhere in the same house.
This is the compounding danger of an information stealer. Password reuse, saved credentials and encrypted local files may each appear to be separate risks. The malware turns them into one attack surface.
Once a private key or recovery phrase has been recovered, changing the wallet password achieves almost nothing. The secret controlling the assets is no longer bound to that installation. It can be imported into another client, on another machine, anywhere in the world.
When the trusted app becomes the phishing site
Ledger and Trezor users face a second attack path, and it is arguably the more psychologically sophisticated of the two.
The sample analysed by SlowMist terminated legitimate wallet processes, removed the installed Ledger or Trezor applications, and placed replacements in the Applications folder. These were not modified versions of the real software. They were lightweight web loaders wearing the original names and icons, built to display pages controlled remotely by the attacker.
To the victim, the prompt is not sitting in a suspicious browser tab. It appears inside the desktop application they already know. A request for a recovery phrase can be presented as an update, a security check or a wallet restoration step. The hardware device may remain perfectly secure while the human is persuaded to surrender the secret that makes the hardware irrelevant.
This is where the old advice to “never type your seed phrase into a website” becomes inadequate. The website is now hiding behind the icon of an installed application. The interface looks local. The machine feels familiar. Trust in the hardware wallet is quietly transferred to software that the hardware manufacturer did not write.
A hardware wallet can isolate a private key. It cannot stop its owner entering the recovery phrase into a counterfeit interface.
Crypto’s security perimeter has moved
Crypto security is often discussed at the level of chains, validators, multisignatures, smart contracts and custody models. This malware operates beneath all of them. It attacks the general-purpose computer through which users reach those systems and exploits the permissions, sessions and habits accumulated there over time.
The important distinction is not between Windows and macOS. It is between a device that has merely been infected and a device that has already been trusted by every important service the victim uses. The latter is vastly more valuable. It contains logged-in sessions, remembered decisions, locally encrypted secrets and familiar applications through which the user can be manipulated.
As more founders, traders, developers and high-value cryptocurrency users adopt macOS, attackers have a clear economic reason to build for it. The platform’s reputation for safety may even improve the opportunity. A user who believes malware is principally a Windows problem is less likely to question an unexpected system prompt or verify the signature of an application that appears to have updated itself.
The result is a security model with an uncomfortable centre. The blockchain can remain immutable. The hardware wallet can perform exactly as designed. Telegram’s 2FA can remain intact. The attacker can still win by stealing the authorisation already living on the endpoint and then persuading the user to complete whatever the stolen files cannot.
What to do if the machine may be compromised
If there is any reason to believe this malware, or a similar information stealer, has touched a Mac, removing the suspicious application is not enough. Data that has already left the machine cannot be recalled.
From a separate, trusted device, terminate existing Telegram sessions, establish a clean login, and change both the Telegram two-step verification password and the local Desktop Passcode. Rotate passwords stored in or reused across the Keychain, browsers and Apple Notes, prioritising email, exchanges, cloud storage, password managers and social accounts. Sign out existing sessions wherever the service allows it.
If wallet data or recovery material may have been exposed, create a completely new seed on a clean device or trusted hardware wallet and transfer the assets to addresses derived from that new seed. Do not merely change the wallet password and continue using the old recovery phrase. If a seed was entered into a replaced Ledger or Trezor application, it must be treated as compromised.
Wallet companion software should be reinstalled only from the manufacturer’s official source, with its code signature verified. The machine should also be inspected for persistence mechanisms before it is trusted again. Enabling a strong, unique Telegram Desktop Passcode adds useful local protection, but it should not be stored in the same Keychain, browser or notes collection that an information stealer is designed to harvest.
The lesson is not that 2FA is useless, hardware wallets are broken or macOS cannot be secured. It is that none of these controls exists in isolation. They meet on the endpoint, and the endpoint remembers far more than most users realise.
The most dangerous thing this malware steals is not a password. It is the accumulated evidence that the person behind the screen has already been trusted.
---
Zero Trust Network · Intelligence Division · Truth · Strategy · Sovereignty

Discussion