VECStake Live - Bybit Uncovers macOS Malware Campaign Targeting Claude Code Search Terms

 April 22, 2026 | VECS News


Bybit, the world’s second-largest cryptocurrency exchange by trading volume, has disclosed a sophisticated multi-stage malware campaign targeting macOS users searching for “Claude Code,” an AI-powered development tool from Anthropic . The report, released by Bybit’s Security Operations Center, marks one of the first known disclosures by a centralized crypto exchange of an active threat campaign targeting developers through AI tool discovery channels . First identified in March 2026, the campaign represents a new frontier in crypto-related cybercrime where attackers weaponize the popularity of artificial intelligence tools to compromise digital asset holders.


The attack chain begins with search engine optimization poisoning, a technique that elevates malicious domains to the top of Google search results . Unsuspecting users searching for legitimate AI development tools are redirected to a spoofed installation page designed to closely resemble authentic documentation. From there, a two-stage attack sequence is triggered. The initial payload, delivered via a Mach-O dropper, deploys an osascript-based infostealer exhibiting characteristics similar to known AMOS and Banshee malware variants . This first-stage malware executes a multi-phase obfuscation sequence to extract sensitive data.


For cryptocurrency investors, the scope of targeted assets is alarming. Bybit researchers identified targeted access attempts against more than 250 browser-based wallet extensions and multiple desktop wallet applications . The malware extracts browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and comprehensive cryptocurrency wallet information. In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure . This means even users with hardware wallets could be compromised if they install the fake software.


The second-stage payload introduces a C++-based backdoor with advanced evasion capabilities that make detection particularly challenging . This backdoor includes sandbox detection to avoid analysis environments and encrypted runtime configurations to hide its activities. The malware establishes persistence through system-level agents, ensuring it survives system reboots. It enables remote command execution via HTTP-based polling, granting attackers ongoing control over compromised devices. Unlike persistent connections that can be detected, intermittent HTTP polling flies under the radar of many security tools .


The campaign’s social engineering tactics extend beyond fake download pages. Investigators discovered fake macOS password prompts used to validate and cache user credentials . When users enter their system passwords believing they are performing a legitimate installation, the malware captures these credentials for later use. The malware also targets a wide range of environments including Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local file directories commonly used to store sensitive financial or authentication information. Every aspect of a developer’s digital life is potentially exposed.


Bybit’s Security Operations Center leveraged AI-assisted workflows across the full malware analysis lifecycle, demonstrating how artificial intelligence can be used defensively . Initial triage and classification of the Mach-O sample were completed within minutes, with AI models flagging behavioral similarities to known malware families. AI-assisted reverse engineering and control-flow analysis reduced the time required for deep inspection of the second-stage backdoor from an estimated six to eight hours to under 40 minutes. This represents a 70% acceleration in threat response compared to traditional workflows.


David Zong, Head of Group Risk Control and Security at Bybit, stated that sharing these findings is critical to strengthening collective defense across the industry . “As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry,” Zong said. “Looking to the future, we will face an AI war. Using AI to defend against AI is an inevitable trend. Bybit will further increase its investment in AI for security, achieving minute-level threat detection and automated, intelligent emergency response” .


The incident reflects a broader trend in Web3 security where attackers increasingly target humans rather than code vulnerabilities. According to industry data, social engineering attacks accounted for 74.7% of all crypto hack losses in the first quarter of 2026 . This represents a dramatic increase from 28.7% in 2021. The reason is simple: compromising a person with existing system access is often easier than finding and exploiting a smart contract vulnerability. As AI tools gain mainstream adoption, developers searching for these tools have become high-value targets due to their access to codebases, infrastructure, and financial systems .


For crypto investment instruments, this campaign underscores a critical vulnerability in the custody chain. Even the most secure hardware wallet becomes vulnerable if the connected computer is compromised . The malware’s ability to target browser-based wallet extensions means that investors using MetaMask, Phantom, or similar extensions could have their private keys extracted during a transaction. With Web3 stolen fund recovery rates consistently below 10% since 2020, prevention rather than remediation remains the only effective strategy . This reality continues to serve as a key barrier to institutional investment in the crypto space.


Bybit confirmed that malicious infrastructure was identified on March 12, 2026, with full analysis, mitigation, and detection measures completed within the same day . Public disclosure followed on March 20 alongside detailed detection guidance. All domains and command-and-control endpoints associated with the campaign have been defanged for public disclosure. For crypto investors and developers using macOS, the key takeaways are clear: only download software from official sources, enable two-factor authentication on all crypto accounts, use hardware wallets with caution when connecting to any computer, and remain skeptical of search results for popular AI tools .

Komentar

Posting Komentar

Postingan populer dari blog ini

Daily Vecsignal - THE MACHINE ECONOMY AWAKENS: HOW RIPPLE, METAMASK, AND MASTERCARD ARE BUILDING CRYPTO'S AI FUTURE

 THE MACHINE ECONOMY AWAKENS: HOW RIPPLE, METAMASK, AND MASTERCARD ARE BUILDING CRYPTO'S AI FUTURE June 14, 2026 | VECS News A powerful consortium of blockchain and traditional finance giants—Ripple, MetaMask, and Mastercard—is coalescing around a transformative vision that positions cryptocurrency not as a speculative human asset, but as the native transactional layer for autonomous artificial intelligence agents. This collaborative architecture, revealed through parallel development roadmaps and cross-platform integration announcements, aims to create a seamless financial ecosystem where AI agents can independently discover each other, negotiate service contracts, execute micropayments, and settle disputes on-chain without requiring human approval for every individual transaction. Ripple's XRP Ledger provides the high-throughput, low-cost settlement layer capable of processing thousands of agent-generated transactions per second at a fraction of a cent. MetaMask, the dominant...
Baca selengkapnya

Daily Vecsignal - Ripple Powers European Banks for Joint Euro Stablecoin Launch

 April 25, 2026 | VECS News A consortium of twelve European banks including ING, UniCredit, and BNP Paribas is preparing to launch a euro-denominated stablecoin in late 2026, built entirely on Ripple’s blockchain infrastructure in a direct challenge to dollar-backed digital assets. In a development that fundamentally reshapes the digital asset landscape, three systemically important European banks are moving to launch a joint euro stablecoin during the second half of 2026 . The initiative, led by Amsterdam-based Qivalis and supported by custody giant Fireblocks, will operate under the European Union’s Markets in Crypto-Assets Regulation (MiCAR) framework. Unlike fragmented national experiments, this consortium represents a unified institutional front to embed blockchain directly into core banking operations, marking the first time major retail banks have collaborated on a shared digital currency infrastructure. The technical architecture relies on Ripple’s XRP Ledger (XRPL), select...
Baca selengkapnya

Daily Vecsiganl - Scammers Weaponize Telegram Mini Apps as Crypto Fraud Traps

 May 05, 2026 | VECS News A sophisticated fraud operation has turned Telegram’s popular Mini App feature into a weapon for crypto scammers. Cybersecurity researchers have uncovered a large-scale scheme that uses Telegram bots and embedded Mini Apps to create convincing fake investment platforms, impersonate well-known brands, and distribute Android malware to unsuspecting users . The platform, dubbed FEMITBOT by researchers at CTM360, represents a new evolution in crypto fraud that exploits user trust in the messaging platform itself. The mechanics of the scam are deceptively simple yet highly effective. When a user interacts with a malicious Telegram bot and clicks "Start," the bot launches a Mini App that displays a phishing page directly within Telegram’s built-in WebView . Victims never leave the Telegram app, making the fake interfaces appear more legitimate than traditional phishing links sent via email or text message. Inside these Mini Apps, victims are shown dashboar...
Baca selengkapnya