Bitcoin-stealing Mac malware found on popular download websites

Graham Cluley
Graham Cluley
@[email protected]

BitcoinResearchers at SecureMac have warned that they have discovered malware that steals Bitcoins which is being distributed via CNet’s popular website and MacUpdate (a rival to the official Mac App Store).

The malware, named OSX/CoinThief, steals information related to users’ Bitcoin wallets and keys, and is said to have been found in trojanised versions of Bitcoin Ticker TTM (To The Moon), BitVanity, StealthBit, and Litecoin Ticker. (Litecoin is an alternative digital currency)

Bitcoin Ticker TTM

CoinThief installs an extension into its victims’ Firefox, Chrome or Safari browsers, monitoring web traffic and attempting to intercept login credentials sent to many of the online Bitcoin exchanges and wallet sites. The information is then sent back to the malware authors via a remote server.

Sign up to our free newsletter.
Security news, advice, and tips.

In an attempt to cover up its activity, the browser extensions disguise their true intentions by adopting innocuous names like “Pop-up blocker”, and use generic descriptions such as “”Blocks pop-up windows and other annoyances.”

Because of this, even if you didn’t remember installing the extension, chances are that you wouldn’t necessarily have your alarm raised.

CNet downloadClearly someone was able to dupe MacUpdate and CNet’s into accepting the bogus versions of the software, helping the online criminals to spread the malware to a wider audience.

Hopefully they will be more careful about vetting submissions in future, and will make efforts to confirm that developers and companies submitting software to their libraries are really who they say they are.

Mac users, of course, are something of a soft target as many of them still do not run any form of anti-virus software.

And without decent anti-virus software, what chance would the typical Mac user have against this Bitcoin-stealing malware?

Hang on to your hats everyone. Criminals love to go where the money is. And as more and more people experiment online with Bitcoin purchases, you can be sure that some hackers will be looking long and hard at how they might steal the digital currency away from them.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Bitcoin-stealing Mac malware found on popular download websites”

  1. Duped

    Whoops. I've uninstalled this just now. What other actions are required to be safe?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.