Security researchers from Malwarebytes and SOC Prime have uncovered a sophisticated phishing campaign targeting macOS users that bypasses traditional security checks to drain cryptocurrency wallets. By impersonating the legitimate BlueWallet application, attackers are using a clever social engineering trick involving AppleScript to bypass Apple’s Gatekeeper and steal everything from seed phrases to browser logins.
By Elena Kowalski | June 7, 2026
For years, the common wisdom in the cryptocurrency community was that Mac users were “safer” than their Windows-using counterparts. However, a new wave of attacks is proving that the walled garden of macOS is no match for clever social engineering. The latest threat involves a highly realistic clone of the BlueWallet website, located at a deceptive domain: update-bluewallet[.]com. While the real wallet operates at bluewallet.io, this fake version is designed for one purpose only: to trick you into handing over the keys to your digital kingdom.
This is not a traditional “hack” of the BlueWallet software. BlueWallet itself remains a secure and respected open-source tool. Instead, the criminals are leveraging the name and branding of the wallet to deliver a multi-stage data stealer. With Bitcoin currently trading at 61,756 and Ethereum at 1,616.47, the stakes for investors have never been higher. A single mistake during a routine update can result in the total loss of your portfolio.
The Exploit Mechanics — How the Attack Works Technically
The genius of this attack lies in its simplicity. When a user visits the fake website, they are prompted to download what looks like a necessary update. Instead of a standard application file, they receive a file named BlueWallet Installer.applescript. For the average investor, this file might look unfamiliar, but the website provides a helpful, step-by-step guide on how to open it.
The instructions tell the victim to open the file in the built-in macOS Script Editor and press the “Run” button or use the command-R keyboard shortcut. By doing this, the user is unknowingly executing a shell script that bypasses Apple’s Gatekeeper and notarization requirements. Because the Script Editor is a “trusted” Apple application, the system assumes that whatever script the user is running is intentional. This is a classic example of “living off the land,” where attackers use legitimate system tools to perform malicious actions.
Technically, the malware operates in three distinct stages. The initial AppleScript contains a Base64-encoded command that, once executed, downloads a second-stage payload from projects2026box[.]com. This payload is often hidden in the temporary directory as a file named .sysupd.sh. To avoid detection by basic antivirus software, the attackers use XOR-based encoding with a specific key: swckR9JCD2Uu. This obfuscation makes the malicious code look like random noise until it is decrypted in memory and executed on the victim’s machine.
Affected Systems — Who is Impacted and How
While the primary target is the Bitcoin investor, the malware is a “grab-all” stealer that impacts anyone using a Mac for financial transactions. Once the third stage of the malware is installed via a LaunchAgent, it begins a systematic sweep of the entire system. It doesn’t just look for BlueWallet data; it targets every major browser, including Chrome, Safari, Firefox, and Brave.
The theft isn’t limited to crypto. The malware scrapes saved passwords, browser cookies, and session tokens, which could allow attackers to bypass two-factor authentication on various exchanges. Furthermore, it searches for developer-related files such as SSH keys, AWS credentials, and GPG keys. This indicates that the attackers are also interested in corporate environments and cloud infrastructure, potentially using a single infected Mac to pivot into larger networks.
Perhaps the most insidious feature is clipboard hijacking. The malware monitors the system clipboard for strings that look like cryptocurrency addresses. If you copy a Bitcoin address to send funds, the malware silently replaces it with an address controlled by the attacker. This technique targets Bitcoin, Ethereum, and Solana addresses specifically. With Solana priced at 64.2 and XRP at 1.12, even small transactions are being rerouted to criminal wallets. Because the replacement happens in real-time, many users don’t realize they are sending money to the wrong person until it is too late.
The Mitigation Strategy — What Defenses Exist and What’s Being Done
Defending against this type of attack is difficult because it relies on user consent. Apple’s security model is designed to stop unauthorized software from running, but it cannot stop a user from manually running a script in a developer tool. Malwarebytes has already updated its detection signatures to flag the update-bluewallet[.]com domain and the specific AppleScript installer, but attackers frequently change their domains to stay one step ahead.
One of the best technical defenses is monitoring for unusual outbound network traffic. The BlueWallet malware uses the Telegram API for command-and-control and data exfiltration. If you see your Mac communicating with Telegram servers when the app isn’t open, it is a major red flag. Network-level firewalls and “Little Snitch” style applications can help identify these unauthorized connections before your data is fully uploaded to the attacker’s server.
From a systemic perspective, the community is pushing for better “notarization” of scripts. However, until Apple makes changes to how Script Editor handles external files, the burden of defense falls on the user. Security providers are also working to block the projects2026box[.]com domain at the DNS level, which would break the second stage of the infection even if a user runs the initial script.
Lessons Learned — Broader Takeaways for the Crypto Community
The primary lesson here is that no operating system is immune to theft. The “security” of a Mac is a secondary layer that can be easily stripped away by a convincing website and a sense of urgency. When you see Cardano at 0.1615 or Dogecoin at 0.0837, the low prices might tempt some to be less cautious with their security, but the aggregate value of a stolen portfolio is what keeps these criminals in business.
We must also realize that the attackers are moving away from complex exploits and toward identity and credential theft. They don’t need to break the Bitcoin network if they can just steal your seed phrase. This campaign highlights a growing trend of “social engineering as a service,” where professional-looking websites are used to bypass the millions of dollars Apple has spent on hardware security like the Secure Enclave.
Finally, we must distinguish between the software we use and the way we acquire it. BlueWallet remains a top-tier choice for Bitcoin self-custody. The problem isn’t the wallet; it’s the delivery mechanism. Always verify the URL of any site asking you to download software, and never trust a site that asks you to run scripts or bypass system warnings.
User Action Required — Concrete Steps Readers Should Take NOW
If you have visited update-bluewallet[.]com or executed any file resembling an “installer script” recently, you must act immediately. First, disconnect your Mac from the internet to prevent further data exfiltration. The malware continues to monitor your activity as long as it is running.
Next, using a different, clean device, you must rotate every single password stored in your browser or keychain. This includes your email, your bank accounts, and your exchange logins for BNB (currently 588.39) or Polkadot (currently 0.9573). If you use a password manager like 1Password or Bitwarden, change your master password immediately.
Regarding your crypto, assume your seed phrases are compromised. Do not simply move your funds to a different “account” in the same wallet. You must generate a brand new seed phrase on a hardware wallet or a completely clean device and move your Chainlink (7.68), Avalanche (6.63), and Tron (0.3279) to the new addresses. Finally, to ensure your Mac is truly clean, the most reliable method is a complete wipe and reinstall of macOS. The persistence mechanisms used by this malware are designed to hide deep within the system library, making manual removal risky.
Disclaimer: The information provided in this report is for educational purposes only and does not constitute financial or legal advice. Cryptocurrency investments carry significant risk, and security is the sole responsibility of the user. BitcoinsNews.com is not affiliated with BlueWallet or any of the mentioned security firms.
apple users really think theyre immune to this stuff. any script editor execution is gonna bypass gatekeeper, thats been known for years
the fake bluewallet site was google indexed. let that sink in. google was sending victims directly to the attacker
google indexing the fake site is the real story here. paid ads for malware domains and google takes zero responsibility
the update-bluewallet domain trick is so obvious in hindsight but i bet thousands fell for it. always check the url people
^ this. been saying it forever, bookmark the real site. bluewallet.io, not some random update-whatever domain
imagine losing your whole portfolio at 61k btc because you clicked run on an applescript. brutal way to learn opsec
61k btc and someone clicks run on an unverified applescript. cold storage exists for exactly this reason
gatekeep_fail 61k btc on a machine where you run random applescripts. this is why air gapped signing devices exist. one click and its all gone
applescript bypassing gatekeeper has been a known attack vector since at least 2020. apple doesnt talk about it because it breaks the walled garden marketing
Lee C. applescript has been bypassing gatekeeper for years and apple still hasnt fixed it properly. the walled garden has back doors they just dont advertise
the Applescript bypass has been documented since 2020 and apple still ships it without sandboxing. 61k btc market and they cant patch a 5 year old vector