It’s commonly said in the crypto world that Apple computers are safer than Windows systems, but nothing is completely secure.
Recently, a video posted by SlowMist team member @im23pds sparked heated discussions. In the video, after a Mac installed a DMG package, the hacker’s server obtained various account permissions and wallet private key files from the computer in just ten seconds — completely compromising the system.
This article will explain how the attack happened and provide three crucial recommendations you must know.
How exactly does the attack happen?
1. Bypassed Apple’s Official Review
It’s easy to guess that the attack begins with a typical phishing tactic: tricking the user into thinking they are installing legitimate software, when in fact, it’s a trojan virus. Windows faces similar risks.
In most cases, installing software from the Apple Store is safe because Apple has a stringent review process. The system’s access is tightly restricted, minimizing the chance of malicious activity.
However, many users are in the habit of installing software from outside the Apple Store, ignoring warnings about “unknown programs.” In this case, the user installs an unknown program directly.
2. Obtained the Mac’s Admin Password
This admin password is also your lock screen password, and having it grants system permissions. Once an application gets this password, it can make system-level changes (like modifying system configurations or accessing specific system folders).
Keep in mind that most legitimate apps do not require admin permissions. This malicious program craftily pops up a window saying, “Enter your unlock password to install.”
Those unfamiliar with MacOS security can fall for this. Once the password is entered, the malicious program is free to cause harm.
3. A Full Auto Sweep
Next comes the swift part: within seconds, the malware scans and uploads sensitive files like browser cookies, auto-fill data, passwords, and encrypted local files containing wallet seed phrases (e.g., MetaMask). It can even access passwords saved in iCloud.
According to SlowMist’s @evilcos, the attack generally aims to:
a. Extract encrypted local seed phrases from wallets and upload them. Some passwords can be decrypted locally, while others are sent to the hacker to be cracked later. Some people find their assets stolen days later. If the target wallet has a small balance, the hacker might wait to steal when it grows. Even if you use a complex password to protect MetaMask, if your wallet is ever unlocked, the hacker can steal your private key in the background.
b. Steal account permissions stored in browser cookies. For example, X accounts or exchanges can be compromised to send malicious messages or transfer tokens.
c. Compromise Telegram, Discord, etc., to send malicious messages.
How to Prevent It? Three Essential Tips to Thwart Hackers.
1. Don’t Ignore the Risks of Installing Unknown Apps on Your Crypto Computer.
First, be extremely cautious when someone asks you to install an app, especially if it’s disguised as a project-related app or game. These are often trojan scams.
Second, if you have poor security habits — installing third-party software recklessly and without the ability to identify malware or using a virtual sandbox environment — then don’t use that computer for crypto transactions. At the very least, install antivirus software.
Moreover, third-party software may only be temporarily safe. It doesn’t mean future updates or DMG packages will remain secure.
Lastly, never give an unknown program your admin password.
2. Use a Hardware Wallet to Isolate Your Private Key!
Diversifying risk is crucial. Make sure you aren’t at risk of losing everything to a single attack.
Only keep a small amount of assets in hot wallets like MetaMask, which you can access as needed. The risk with hot wallets is that your private key is generated, stored, encrypted, and signed on the same online device. If malware accesses your private key file or a hacker takes control, all assets could be stolen at once.
Therefore, it’s recommended to use one or even multiple multi-signature hardware wallets to store most of your assets.
Mainstream hardware wallets like OneKey (ours), Ledger, Trezor, and others are designed to ensure your private key is generated, stored, and signed in offline, encrypted hardware, only transmitting necessary information during the signing process.
This keeps your private key completely off your computer, reducing the risk of it being compromised by hackers.
3. Use the Web Version of Exchanges and Avoid Saving Login Information
Web-based exchanges are generally less secure than mobile apps, so always log out after using them.
Many people choose to save their passwords and login details for convenience. However, this can make it easy for attackers to access your exchange accounts if the device is compromised.
Although most people set up 2FA, there are still ways around it. There have been cases where malicious Chrome extensions stole cookies and manipulated trades to move funds to the hackers through low-buy, high-sell operations.
Lastly
The best defense is always vigilance — prevention is better than cure.
Phishing has become an industrialized and automated process, with clear divisions of labor and profit-sharing. Once assets are transferred and laundered by a professional hacker group, they are often irretrievable! It’s best not to give hackers any opportunity at all.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish
Thanks for sharing!