Security researchers from Malwarebytes and SOC Prime have uncovered a sophisticated phishing campaign targeting macOS users that bypasses traditional security checks to drain cryptocurrency wallets. By impersonating the legitimate BlueWallet application, attackers are using a clever social engineering trick involving AppleScript to bypass Apple’s Gatekeeper and steal everything from seed phrases to browser logins.
By Elena Kowalski | June 7, 2026
For years, the common wisdom in the cryptocurrency community was that Mac users were “safer” than their Windows-using counterparts. However, a new wave of attacks is proving that the walled garden of macOS is no match for clever social engineering. The latest threat involves a highly realistic clone of the BlueWallet website, located at a deceptive domain: update-bluewallet[.]com. While the real wallet operates at bluewallet.io, this fake version is designed for one purpose only: to trick you into handing over the keys to your digital kingdom.
This is not a traditional “hack” of the BlueWallet software. BlueWallet itself remains a secure and respected open-source tool. Instead, the criminals are leveraging the name and branding of the wallet to deliver a multi-stage data stealer. With Bitcoin currently trading at 61,756 and Ethereum at 1,616.47, the stakes for investors have never been higher. A single mistake during a routine update can result in the total loss of your portfolio.
The Exploit Mechanics — How the Attack Works Technically
The genius of this attack lies in its simplicity. When a user visits the fake website, they are prompted to download what looks like a necessary update. Instead of a standard application file, they receive a file named BlueWallet Installer.applescript. For the average investor, this file might look unfamiliar, but the website provides a helpful, step-by-step guide on how to open it.
The instructions tell the victim to open the file in the built-in macOS Script Editor and press the “Run” button or use the command-R keyboard shortcut. By doing this, the user is unknowingly executing a shell script that bypasses Apple’s Gatekeeper and notarization requirements. Because the Script Editor is a “trusted” Apple application, the system assumes that whatever script the user is running is intentional. This is a classic example of “living off the land,” where attackers use legitimate system tools to perform malicious actions.
Technically, the malware operates in three distinct stages. The initial AppleScript contains a Base64-encoded command that, once executed, downloads a second-stage payload from projects2026box[.]com. This payload is often hidden in the temporary directory as a file named .sysupd.sh. To avoid detection by basic antivirus software, the attackers use XOR-based encoding with a specific key: swckR9JCD2Uu. This obfuscation makes the malicious code look like random noise until it is decrypted in memory and executed on the victim’s machine.
Affected Systems — Who is Impacted and How
While the primary target is the Bitcoin investor, the malware is a “grab-all” stealer that impacts anyone using a Mac for financial transactions. Once the third stage of the malware is installed via a LaunchAgent, it begins a systematic sweep of the entire system. It doesn’t just look for BlueWallet data; it targets every major browser, including Chrome, Safari, Firefox, and Brave.
The theft isn’t limited to crypto. The malware scrapes saved passwords, browser cookies, and session tokens, which could allow attackers to bypass two-factor authentication on various exchanges. Furthermore, it searches for developer-related files such as SSH keys, AWS credentials, and GPG keys. This indicates that the attackers are also interested in corporate environments and cloud infrastructure, potentially using a single infected Mac to pivot into larger networks.
Perhaps the most insidious feature is clipboard hijacking. The malware monitors the system clipboard for strings that look like cryptocurrency addresses. If you copy a Bitcoin address to send funds, the malware silently replaces it with an address controlled by the attacker. This technique targets Bitcoin, Ethereum, and Solana addresses specifically. With Solana priced at 64.2 and XRP at 1.12, even small transactions are being rerouted to criminal wallets. Because the replacement happens in real-time, many users don’t realize they are sending money to the wrong person until it is too late.
The Mitigation Strategy — What Defenses Exist and What’s Being Done
Defending against this type of attack is difficult because it relies on user consent. Apple’s security model is designed to stop unauthorized software from running, but it cannot stop a user from manually running a script in a developer tool. Malwarebytes has already updated its detection signatures to flag the update-bluewallet[.]com domain and the specific AppleScript installer, but attackers frequently change their domains to stay one step ahead.
One of the best technical defenses is monitoring for unusual outbound network traffic. The BlueWallet malware uses the Telegram API for command-and-control and data exfiltration. If you see your Mac communicating with Telegram servers when the app isn’t open, it is a major red flag. Network-level firewalls and “Little Snitch” style applications can help identify these unauthorized connections before your data is fully uploaded to the attacker’s server.
From a systemic perspective, the community is pushing for better “notarization” of scripts. However, until Apple makes changes to how Script Editor handles external files, the burden of defense falls on the user. Security providers are also working to block the projects2026box[.]com domain at the DNS level, which would break the second stage of the infection even if a user runs the initial script.
Lessons Learned — Broader Takeaways for the Crypto Community
The primary lesson here is that no operating system is immune to theft. The “security” of a Mac is a secondary layer that can be easily stripped away by a convincing website and a sense of urgency. When you see Cardano at 0.1615 or Dogecoin at 0.0837, the low prices might tempt some to be less cautious with their security, but the aggregate value of a stolen portfolio is what keeps these criminals in business.
We must also realize that the attackers are moving away from complex exploits and toward identity and credential theft. They don’t need to break the Bitcoin network if they can just steal your seed phrase. This campaign highlights a growing trend of “social engineering as a service,” where professional-looking websites are used to bypass the millions of dollars Apple has spent on hardware security like the Secure Enclave.
Finally, we must distinguish between the software we use and the way we acquire it. BlueWallet remains a top-tier choice for Bitcoin self-custody. The problem isn’t the wallet; it’s the delivery mechanism. Always verify the URL of any site asking you to download software, and never trust a site that asks you to run scripts or bypass system warnings.
User Action Required — Concrete Steps Readers Should Take NOW
If you have visited update-bluewallet[.]com or executed any file resembling an “installer script” recently, you must act immediately. First, disconnect your Mac from the internet to prevent further data exfiltration. The malware continues to monitor your activity as long as it is running.
Next, using a different, clean device, you must rotate every single password stored in your browser or keychain. This includes your email, your bank accounts, and your exchange logins for BNB (currently 588.39) or Polkadot (currently 0.9573). If you use a password manager like 1Password or Bitwarden, change your master password immediately.
Regarding your crypto, assume your seed phrases are compromised. Do not simply move your funds to a different “account” in the same wallet. You must generate a brand new seed phrase on a hardware wallet or a completely clean device and move your Chainlink (7.68), Avalanche (6.63), and Tron (0.3279) to the new addresses. Finally, to ensure your Mac is truly clean, the most reliable method is a complete wipe and reinstall of macOS. The persistence mechanisms used by this malware are designed to hide deep within the system library, making manual removal risky.
Disclaimer: The information provided in this report is for educational purposes only and does not constitute financial or legal advice. Cryptocurrency investments carry significant risk, and security is the sole responsibility of the user. BitcoinsNews.com is not affiliated with BlueWallet or any of the mentioned security firms.
clipboard hijacking is nightmare fuel. you think you are sending to your hardware wallet and boom, gone. always double check the first and last 4 chars people
This is exactly why I stopped copy pasting addresses entirely. I type the last 8 characters manually every time, pain but worth it after seeing how the XOR encoding in this payload works.
typing last 8 chars is solid. i went further and use a hardware wallet that displays the full address on screen. the xor encoding trick in this attack wouldnt help against that
typing 8 chars is solid but the XOR encoding means even the displayed address in some apps gets swapped before you see it. hardware wallet screen verification is really the only bulletproof method
the fact that they use Telegram API for C2 is clever tbh. who monitors outbound connections to telegram servers on a mac? basically nobody
^ exactly this. Little Snitch would catch it but how many regular users even know what that is. Apple really needs to tighten Script Editor permissions
telegram C2 is becoming the standard for mac malware. avoids the classic C2 domain pattern that dns filters catch. luabot did the same thing last year
blocking telegram traffic on corporate macs is basically impossible without breaking a hundred other things. attackers know this which is why we are seeing more of it
gatekeeper being bypassed by an applescript is embarrassing for apple. the whole point of the walled garden is that unsigned code doesnt just run