Partager cet article
'CoinThief' Mac Malware Steals Bitcoins From Your Wallet
Malware hidden in a private wallet app is reportedly stealing large amounts of bitcoin from Mac OS X users.
Par Jon Southurst
UPDATE (12th February, 11:35 GMT): SecureMac reports the bitcoin-stealing malware has spread to popular download sites like Download.com and MacUpdate, under several different names. If you think your machine could be infected, take a screenshot of the instructions here and disconnect from the internet immediately.
A Mac OS X trojan horse masquerading as a private bitcoin wallet app is responsible for "multiple" bitcoin thefts, according to Mac security researchers.
STORY CONTINUES BELOW
Ne manquez pas une autre histoire.Abonnez vous à la newsletter Crypto Daybook Americas aujourd. Voir toutes les newsletters
, a Mac security consultancy that develops the MacScan anti-malware application and blogs about its research, released a report today warning of 'CoinThief.A'.
Hidden within the open-source OS X bitcoin wallet app StealthBit, CoinThief.A monitors users' web traffic to steal login credentials for software wallets and popular bitcoin sites, including BTC-e, Mt. Gox, and Blockchain.info.
The StealthBit app had been available on GitHub both as source code and a precompiled download, but the page has now been removedhttps://github.com/thomasrevor/StealthBit.
Update: Versions of the malware have been found with numerous different names on other popular software download sites, such as Download.com and MacUpdate.com. BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. It seems both app names were copied from legitimate apps in the Mac App Store, but the malicious payload was not found in the official Mac App Store copies of these apps.
Mismatched code
Suspicion arose when investigators discovered the precompiled version did not match the source (which more knowledgeable users could examine for themselves and needed to compile before using). The precompiled version contained the malware, whereas the open-source code did not.
The report said:
"Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions.
Additionally, the malware installs a program that continually runs in the background, looking for bitcoin wallet login credentials, which are then sent back to a remote server."
The browser extensions had innocuous sounding names like 'Pop-up Blocker' to avoid detection. Once installed, the trojan also searches the system for anti-malware software and logs unique identifiers (UUIDs) for each infected machine.
Large thefts
At least one Bitcoin Talk Forum user reported a whopping 20BTC theft after installing StealthBit, which was also posted on reddit.
Other investigators noted several similarities between StealthBit and Bitvanity, another piece of notorious Mac malware that stole users' bitcoins last August. Bitvanity posed as a vanity wallet address generator that harvested addresses and private keys from software like the Bitcoin-Qt client.
StealthBit's GitHub code repository was stored under the username 'thomasrevor' and a reddit user named 'trevorscool' posted an announcement about its development there on 2nd February. Last year, Bitvanity's GitHub code was posted under the name 'trevory'.
As reported previously on CoinDesk, there are rich rewards for malware and ransomware developers trading in bitcoin thanks to its mostly unregulated and difficult-to-trace nature. Accomplices can be paid, and ransoms collected from anywhere in the world.
Open-source security
The discovery has highlighted the benefits (and issues) that surround open-source software. While the malware was not contained in the open-source version of the code, less able or impatient users may still have trusted the precompiled version on GitHub and installed without a second thought.
The 'clean' open-source version, however, allowed programmers to find a discrepancy between the two versions within days of its appearance, leading to speedy warnings of the malware and, hopefully, fewer infections.
Hacker Image via Shutterstock
Plus pour vous
Ce qu'il:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
Plus pour vous
BNB Lags Wider Market Despite Volume Surge Resistance Levels Hold
Despite uncertainty and a lack of breakout, BNB's fundamentals may be supportive, with recent developments support a bullish case.
Ce qu'il:
- BNB edged higher to top $890, gaining over 1%, but underperformed the wider crypto market which rose 2.5%.
- Trading volume surged 51% above the weekly average, suggesting possible whale participation, but BNB's price underperformance may indicate a rotation away from the token.
- Despite uncertainty and a lack of breakout, BNB's fundamentals may be supportive, with recent developments like Binance's ADGM approval and new infrastructure on BNB Chain, but traders remain cautious.
Top Stories
