New Mac Malware 'MacSync' Stealing Crypto Wallets

News By Alex Dovbnya Wed, 22/04/2026 - 15:27 Blockchain security firm SlowMist has warned about "MacSync Stealer," a highly destructive new macOS malware campaign designed to drain cryptocurrency wallets and exfiltrate sensitive infrastructure credentials. Advertisement New Mac Malware 'MacSync' Stealing Crypto Wallets

Cover image via U.Today

The modus operandi
Other MacOS-related incidents

Blockchain security firm SlowMist has warned about a highly destructive new macOS infostealer dubbed "MacSync Stealer" (v1.1.2).

The active malware campaign is specifically targeting Apple users to drain cryptocurrency wallets and exfiltrate highly sensitive infrastructure credentials.

The modus operandi

Deceptive social engineering tactics are used by malicious actors to bypass user defenses.

HOT Stories Trader Who Predicted 700% XRP Rally is 'Cautiously Optimistic' Again; Strategy CEO Issues Bitcoin Teaser as BTC Price Unlocks $96,600 Outlook; Dogecoin Targets 34% Upside with Zero ETF Inflows - Morning Crypto Report Brian Armstrong: New Satoshi Doc is the Best Yet

The malware uses fake AppleScript system dialogs that mimic legitimate macOS password prompts to phish for the user's login credentials.

The malware silently exfiltrates their data in the background once the victim takes the bait. MacSync Stealer displays a fake "not supported" error message immediately after the data extraction is complete in order not to raise any suspicion. The trick makes it seem like the application simply failed to launch.

Other MacOS-related incidents

This is not an isolated incident. Bybit's security team has just uncovered a malware campaign targeting macOS users searching for Claude Code.

Recently, Microsoft Threat Intelligence exposed a highly targeted macOS campaign orchestrated by "Sapphire Sleet," a known North Korean state-sponsored threat actor. Sapphire Sleet uses advanced social engineering to impersonate legitimate macOS software updates and steal cryptocurrency wallets.

One should also mention the "Infinity Stealer" malware, which demonstrated how Windows-centric attack methods are being adapted for macOS. It uses the "ClickFix" technique to present victims with a fake CAPTCHA page. Cybersecurity firm SOC Prime has also identified "MioLab," which is a commercially distributed macOS infostealer explicitly built to target high-value victims, including crypto holders.

The modus operandi
Other MacOS-related incidents

News Apr 22, 2026 - 15:31 Bitcoin Hits $79,000 as a 4,362% Liquidation Imbalance Confirms a Massive Short Squeeze ByGamza Khanzadaev News Apr 22, 2026 - 15:21 Anthony Pompliano Moves Satoshi Title to All Bitcoin Holders ByCaroline Amosun

This article was originally published on U.Today and is republished here under RSS syndication for informational purposes. All rights and intellectual property remain with the original author. If you are the author and wish to have this article removed, please contact us at [email protected].