discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.
Featured

MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist

A new macOS malware is stealing credentials to hijack Telegram sessions and compromise cryptocurrency wallets, according to blockchain security firm SlowMist.

By Zoltan Vardai·Jul 17·cointelegraph.com·2 min read

Intelligence analysis by Gemini 2.5 Flash

MacOS malware hijacks Telegram sessions, targets crypto wallets: SlowMist
Image: cointelegraph.com

The sophisticated malware targets macOS Keychain, browser data, Apple Notes, and over a dozen crypto wallets, including both software and hardware wallet applications. It can reuse authenticated Telegram Desktop sessions to bypass two-factor authentication and trick users into revealing recovery phrases through fake applications.

Why it matters

This malware poses a significant threat to cryptocurrency investors using macOS, as it can lead to direct financial losses by compromising wallets and enabling attackers to impersonate users on Telegram, potentially spreading further scams.

Imagine a sneaky computer program that secretly peeks into your digital diary (your saved passwords) and then uses what it finds to pretend to be you on your chat app (Telegram) without needing your secret code. It also tries to find your digital piggy banks (crypto wallets) to take your money. It's like a thief who finds your house key and then uses it to get in and steal your valuables.

Analysis

Multi-faceted Attack Vector

This newly identified macOS malware represents a sophisticated threat, combining several techniques to compromise cryptocurrency assets and user accounts. According to blockchain security firm SlowMist, the malware is designed to harvest a wide array of sensitive data from infected devices. This includes credentials stored in the macOS Keychain, browsing data from Safari cookies, notes from Apple Notes, and critical information from Telegram Desktop. Crucially, it also targets databases associated with more than a dozen popular cryptocurrency wallets, encompassing both software solutions like Exodus, Atomic, Electrum, Wasabi, and Monero, as well as applications for hardware wallets such as Ledger Live and Trezor Suite. Furthermore, it seeks out wallet data from full-node clients like Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core, indicating a broad and indiscriminate approach to data exfiltration.

Telegram Session Hijacking Explained

One of the most concerning aspects of this malware is its ability to hijack authenticated Telegram Desktop sessions. Unlike typical phishing attacks that require users to enter login credentials, this malware bypasses such requirements by copying and reusing existing session data. SlowMist's research demonstrated that attackers can restore a stolen Telegram Desktop session on another Mac without needing a phone number, verification code, or even a two-step verification password. This capability allows attackers to gain full control over a user's Telegram account, enabling them to send messages, access contacts, and potentially spread malicious links or solicit funds from the victim's network, all while remaining undetected by standard security measures like 2FA.

Mitigation and Proactive Defense

Given the severity of this threat, SlowMist has issued urgent recommendations for users who suspect their devices may have been compromised. The immediate steps include terminating all existing Telegram sessions, establishing a new trusted login, and changing both the Telegram two-step verification password and Telegram Desktop Passcode. Beyond Telegram, the security firm advises generating a completely new recovery phrase on a clean, uninfected device and transferring all cryptocurrency assets to new, secure addresses. This comprehensive approach is vital for mitigating potential losses and re-establishing control over digital assets and communication channels, highlighting the ongoing need for vigilance and robust security practices in the cryptocurrency space.

Key points

  • A new macOS malware targets cryptocurrency investors by stealing credentials and hijacking Telegram Desktop sessions.
  • The malware collects data from macOS Keychain, Safari cookies, Apple Notes, and over a dozen crypto wallets, including Ledger Live and Trezor Suite applications.
  • It can reuse authenticated Telegram sessions, bypassing two-factor authentication, and trick users into revealing recovery phrases.
  • SlowMist recommends immediately terminating Telegram sessions, changing passwords, and transferring assets to new wallet addresses if compromise is suspected.
The Downside

This malware could lead to significant financial losses for affected macOS users, eroding trust in the security of digital assets on this platform. The ability to bypass 2FA on Telegram also opens doors for further social engineering attacks and the spread of scams, potentially impacting a wider network of users.

Originally reported at

cointelegraph.com

Discernion covers the story. Read the full piece at the source.

Tagscryptosecuritymalwarecybersecuritywalletmacos

Author

Zoltan Vardai

Intelligence analysis by

Gemini 2.5 Flash

Published

Jul 17, 2026

Source

cointelegraph.com

Share

Topics

cryptosecuritymalwarecybersecuritywalletmacos

Related

More from this desk

Jul 17·cointelegraph.com

FTX to Distribute $900M to Creditors in Fifth Payment Round

FTX to distribute $900M to creditors in fifth payment round. The FTX Recovery Trust and company have distributed about $10 billion since the exchange filed for bankruptcy in November 2022.

digital euro europe European Central Bank money politics ecb banking stablecoins
Jul 17·decrypt.co

ECB Warns Stablecoins May Drain Bank Deposits—Here's What That Means

ECB board member Cipollone warned that stablecoin growth could strip European banks of retail deposits, on top of the fees and transaction data they're already losing to mobile payment platforms.

Jul 17·cointelegraph.com

Galaxy lands 15-year Texas Tech stadium naming rights deal

Galaxy Digital has signed a 15-year naming rights agreement with Texas Tech, renaming the university's football stadium Galaxy Stadium. The partnership also makes Galaxy the official data center and digital assets partner of Texas Tech Athletics.

Jul 17·cointelegraph.com

Consensys unknowingly outsourced developer work to North Korean

Consensys, a blockchain company, unknowingly outsourced developer work to a North Korean software developer who had access to some of its systems for a month. The company has temporarily suspended product releases and is conducting an investigation into the matter.