Fake BlueWallet Site Tricks Mac Users Into Crypto Theft

A fraudulent website impersonating BlueWallet delivers an AppleScript named “BlueWallet Installer.applescript” that macOS users are instructed to open in Script Editor and execute. The site automatically starts a download shortly after loading and presents step-by-step directions that tell visitors to press the play button or press ⌘R in Script Editor. Running the script inside Script Editor bypasses macOS notarization and quarantine checks for unsigned apps.

The initial AppleScript contains a short base64-encoded command that downloads a second script from projects2026box[.]com, saves it as a hidden file at /tmp/.sysupd.sh, makes it executable and launches it in the background. The second-stage script creates a hidden working directory, sets restrictive permissions, and decodes configuration values with a simple XOR routine. Decoded values include a Telegram bot token and chat identifier that act as the malware’s command-and-control and exfiltration channel.

The payload collects a broad range of data from the infected Mac. It extracts browser history, cookies, saved logins and bookmarks from multiple Chromium-based browsers, Firefox variants and Safari. It targets desktop and extension cryptocurrency wallets, including Electrum, Exodus, Ledger Live, Trezor Suite, Bitcoin Core, MetaMask and Phantom, and it searches for wallet files and seed materials. Local password manager data is also targeted, with the malware looking for data from products such as 1Password, Bitwarden and LastPass. The script copies developer and cloud credentials from .ssh, .aws and .gnupg folders and grabs the Apple Notes database and common document types with extensions like .wallet, .key, .seed, .kdbx, .pem and .env.

A background routine continuously monitors the clipboard for Bitcoin, Ethereum and Solana address patterns. When it detects a matching address, the malware records the original and replaces it with an attacker-controlled address so pasted payment destinations point to the attackers. The sample contains three attacker addresses in plaintext: BTC bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e, ETH 0x2B871703122064e45d77146a6D5203da3bD192FA and SOL 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v.

The implant prompts users with an OS dialog labeled “System Preferences” to capture account passwords, validating each entry before saving it. Stolen data is archived with macOS’s ditto utility, split into 49 MB chunks to fit Telegram’s upload limits, and sent over the Telegram bot channel. The malware writes a LaunchAgent plist to ~/Library/LaunchAgents to persist across user logins and supports remote commands that include running shell commands, downloading files, re-running data collection and removing itself.

Indicators include the domains update-bluewallet[.]com and projects2026box[.]com and a first-stage AppleScript with SHA-256 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61. Behavioral signs include Script Editor executing a base64-encoded shell command that downloads a hidden /tmp/.sysupd.sh and process activity that communicates with Telegram’s Bot API.

Security guidance for users who ran the script advises cutting network access, scanning the device with up-to-date security software, and using a separate, clean device to change email and exchange passwords. Move cryptocurrency to a new wallet created on a clean machine and treat existing seed phrases and private keys as exposed. Check ~/Library/LaunchAgents for unfamiliar plist files and look for a hidden .sysupd.sh in /tmp. Rotate cloud and SSH credentials if related files were present. If a clean state cannot be confirmed, back up important files and reinstall macOS from a known-good source rather than attempting in-place cleanup.