Fake BlueWallet Malware Targets Mac Users: How Cybercriminals Steal Passwords, Crypto Wallets, and Sensitive Data

June 2, 2026

A sophisticated cybercrime campaign targeting macOS users has emerged through a fake version of BlueWallet, a popular Bitcoin wallet application. While the legitimate BlueWallet platform remains secure and uncompromised, attackers have created convincing counterfeit websites designed to trick cryptocurrency users into downloading and executing malware.

This campaign highlights a growing trend in cybersecurity: attackers increasingly rely on social engineering rather than technical exploits. Instead of bypassing Apple’s security mechanisms, cybercriminals persuade victims to voluntarily execute malicious code, making the attack both effective and difficult to detect.

The malware behind the fake BlueWallet campaign is capable of stealing passwords, browser credentials, cryptocurrency wallets, authentication data, documents, and cloud credentials. It can also hijack cryptocurrency transactions by silently replacing copied wallet addresses with attacker-controlled addresses.

What Is the Fake BlueWallet Malware Campaign?

The attack begins with a fraudulent website designed to mimic the appearance and branding of BlueWallet. Unsuspecting users searching for cryptocurrency wallet software may encounter the fake site through malicious advertisements, phishing links, or search engine manipulation.

Unlike traditional malware that exploits software vulnerabilities, this campaign relies entirely on user interaction. Visitors are instructed to download a file named “BlueWallet Installer.applescript” and run it using Apple’s built-in Script Editor.

Once executed, the script downloads a second-stage payload that performs credential theft, wallet extraction, clipboard monitoring, and remote access functions.

The attack demonstrates how threat actors increasingly weaponize trusted system tools to evade security controls and gain persistence on target devices.

Why Mac Users Are Being Targeted

For years, many users believed macOS devices were less susceptible to malware than Windows systems. While macOS includes strong security protections such as Gatekeeper, XProtect, notarization requirements, and sandboxing, cybercriminals have adapted their tactics.

Rather than attempting to bypass these protections directly, attackers convince users to run malicious scripts themselves.

Several factors make cryptocurrency users particularly attractive targets:

  • High-value digital assets
  • Reversible losses are nearly impossible
  • Wallet theft can generate immediate profits
  • Cryptocurrency transactions are difficult to trace
  • Many users store credentials and recovery phrases on personal devices

As cryptocurrency adoption grows, macOS users are becoming increasingly attractive targets for financially motivated threat actors.

How the Attack Works

Stage 1: Social Engineering and Initial Download

The attack starts when a victim visits a fraudulent BlueWallet website.

The page automatically initiates a download of an AppleScript file and presents step-by-step instructions encouraging the user to:

  1. Open the downloaded file.
  2. Launch Script Editor.
  3. Press the Run button or use the keyboard shortcut Command + R.

Because the script is executed through a trusted Apple application, it avoids many of the warnings users would normally encounter when launching unsigned applications.

This approach allows attackers to shift responsibility from the operating system to the victim, effectively bypassing security protections through manipulation rather than exploitation.

Stage 2: Downloading the Malware Payload

The AppleScript itself is relatively small.

Its primary purpose is to execute a hidden shell command that:

  • Connects to a remote server
  • Downloads a second-stage malware script
  • Saves it in a hidden temporary directory
  • Executes it silently in the background

The malware suppresses all visible output, ensuring the victim sees no obvious signs of compromise.

Stage 3: Establishing Persistence

Once active, the malware creates persistence mechanisms that allow it to survive system reboots and user logouts.

Common techniques include:

  • Installing LaunchAgents
  • Creating hidden support directories
  • Registering background processes
  • Configuring automatic startup tasks

These persistence methods enable attackers to maintain long-term access to infected systems.

What Information Does the Malware Steal?

The malware’s primary objective is data theft.

Browser Data

The malware targets numerous browsers, including:

  • Google Chrome
  • Brave Browser
  • Microsoft Edge
  • Opera
  • Vivaldi
  • Arc Browser
  • Mozilla Firefox
  • Waterfox
  • LibreWolf
  • Safari

Collected information may include:

  • Saved passwords
  • Browsing history
  • Session cookies
  • Autofill information
  • Bookmarks

Stolen browser sessions can allow attackers to access accounts without requiring passwords or multi-factor authentication.

Cryptocurrency Wallets

Cryptocurrency theft appears to be the campaign’s primary focus.

Targeted wallets include:

  • Electrum
  • Exodus
  • Atomic Wallet
  • Ledger Live
  • Trezor Suite
  • Trust Wallet
  • Coinomi
  • Sparrow Wallet
  • Monero Wallet
  • Bitcoin Core

The malware also targets browser extension wallets such as:

  • MetaMask
  • Phantom
  • Coinbase Wallet
  • Rabby
  • Rainbow
  • Keplr
  • Xverse
  • Leather

Wallet credentials, private keys, and configuration files are all valuable targets for attackers.

Password Managers

The malware actively searches for data associated with:

  • 1Password
  • Bitwarden
  • LastPass
  • Dashlane
  • Keeper
  • NordPass
  • RoboForm
  • Enpass

Compromising a password manager can give attackers access to hundreds of accounts simultaneously.

Two-Factor Authentication Data

Researchers observed attempts to collect information related to:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • Duo Security
  • FreeOTP
  • 2FAS

Stealing authentication data significantly increases the attacker’s ability to bypass account security protections.

Cloud and Developer Credentials

The malware searches for sensitive files used by developers and IT professionals, including:

  • AWS credentials
  • SSH keys
  • GPG keys
  • Kubernetes configurations
  • Git settings
  • Shell history files

These credentials can provide access to cloud infrastructure, development environments, and corporate networks.

Clipboard Hijacking: The Most Dangerous Feature

One of the most alarming capabilities of the malware is clipboard hijacking.

When users copy cryptocurrency wallet addresses, the malware monitors clipboard activity in real time.

If it detects a Bitcoin, Ethereum, or Solana address, it automatically replaces the copied address with one controlled by the attacker.

The victim may never notice the substitution.

As a result:

  • Funds are sent to the attacker.
  • Transactions cannot be reversed.
  • Victims often discover the theft only after confirming the transfer.

Clipboard hijacking remains one of the most effective cryptocurrency theft techniques because it exploits routine user behavior.

Remote Access and Command-and-Control Functionality

The malware does not merely steal files.

It also establishes ongoing communication with attacker-controlled infrastructure.

Researchers identified functionality enabling attackers to:

  • Execute arbitrary commands
  • Download additional files
  • Collect system information
  • Monitor clipboard contents
  • Re-run data theft operations
  • Remove evidence of infection

This effectively transforms an infected Mac into a remotely controlled system.

Why Telegram Is Being Used by Cybercriminals

Modern malware campaigns increasingly leverage legitimate cloud services and messaging platforms for command-and-control operations.

Telegram offers several advantages for threat actors:

  • End-to-end encrypted communications
  • Global accessibility
  • Free infrastructure
  • Easy bot automation
  • Traffic that blends into normal HTTPS connections

By using Telegram rather than traditional command-and-control servers, attackers reduce the likelihood of detection and blocking.

Warning Signs of Infection

Users should investigate immediately if they notice:

  • Unexpected password prompts
  • Cryptocurrency transactions sent to unknown addresses
  • New LaunchAgent files appearing in macOS
  • Suspicious scripts in temporary directories
  • Increased network activity
  • Unknown background processes

Any user who executed the fake installer should assume compromise until proven otherwise.

What To Do If You Executed the Fake Installer

If you ran the malicious AppleScript, take immediate action.

1. Disconnect From the Internet

Disable Wi-Fi and unplug network connections to disrupt attacker communications.

2. Scan the Device

Use reputable security software with updated malware definitions.

3. Change Passwords

From a separate trusted device:

  • Change email passwords
  • Update financial accounts
  • Reset cryptocurrency exchange credentials
  • Review account recovery settings

4. Move Cryptocurrency Assets

Create a new wallet on a clean device and transfer funds immediately.

Assume all existing wallet credentials and seed phrases are compromised.

5. Rotate Developer Credentials

Replace:

  • SSH keys
  • AWS credentials
  • API tokens
  • GPG keys

6. Review Persistence Mechanisms

Inspect:

  • ~/Library/LaunchAgents
  • Hidden temporary files
  • Login items
  • Background services

7. Reinstall macOS

For high-confidence recovery, perform a complete system wipe and reinstall macOS from a trusted source.

How to Protect Yourself From Similar Attacks

To reduce future risk:

  • Download software only from official websites.
  • Verify domain names carefully.
  • Avoid running scripts from unknown sources.
  • Enable multi-factor authentication.
  • Keep macOS fully updated.
  • Use reputable endpoint security solutions.
  • Store cryptocurrency in hardware wallets.
  • Verify wallet addresses before every transaction.
  • Regularly back up important data.

Most importantly, be suspicious of any website that instructs you to run code manually through Script Editor or Terminal.

Conclusion

The fake BlueWallet malware campaign demonstrates that modern cyberattacks often succeed through deception rather than technical sophistication. By abusing trusted macOS tools and convincing users to execute malicious scripts themselves, attackers can bypass traditional security protections and gain access to highly valuable data.

The malware’s capabilities-including password theft, wallet extraction, clipboard hijacking, credential harvesting, and remote access-make it particularly dangerous for cryptocurrency users. As cybercriminals continue to evolve their tactics, vigilance, software verification, and security awareness remain the most effective defenses against these increasingly convincing social engineering attacks.

Also Read: Crypto Industry Loses $68.3 Million to Exploits and Scams in May 2026, CertiK Report Shows