educational

Hackers Set Sights on Bitcoin-Stealing Malware

As if the world of bitcoin and its copycats was not cloudy enough, criminal hackers are now targeting bitcoin and other cryptocurrency users via malware injections that can (and have) resulted in the loss of the user’s coins.

While the more rabid of cryptocurrency supporters will likely dismiss these reports as they do all bad news surrounding their choice to use these technologies, even Bitcoin.org emphasizes that its users should take the time to inform themselves before using bitcoins “for any serious transaction.”

The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions.

“Bitcoin should be treated with the same care as your regular wallet, or even more in some cases,” states the Bitcoin.org website. “Bitcoin makes it possible to transfer value anywhere in a very easy way and it allows you to be in control of your money. Such great features also come with great security concerns.”

One underreported “great security concern” is the OSX/CoinThief Mac Trojan.

According to SecureMac’s Nicholas Raba, the company recently discovered a new Trojan known as OSX/CoinThief.A that effectively targets Mac OSX-based computers by spying on all of a user’s web traffic in order to steal any bitcoins that user has.

“This malware has been found in the wild, and there are multiple user reports of stolen bitcoins,” Raba revealed. “The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for bitcoin wallets.”

At the forefront of Apple system security since 1999, SecureMac strives to make Mac users’ computer experience secure and trouble free, via its security and privacy software offerings, MacScan and PrivacyScan.

The company offers an interesting report detailing how the CoinThief malware is initially installed on infected systems, along with data on how it disguises its behavior.

“The malware is taking the place of the main binary in the Trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock,” states the SecureMac report. “A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle [so] the first time a user runs the Trojanized version of Bitcoin Ticker TTM or Litecoin Ticker the invisible malware program is launched instead.”

CoinThief is as subtle as it is sophisticated — leaving victims unaware of the attack until they discovered their bitcoins or litecoins were missing — and unrecoverable.

“At run time, the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file,” the report explains. “It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.”

Although SecureMac notes that Apple was quick to update XProtect to defend against the two known variants of OSX/CoinThief, it is interesting that Mac rather than Windows users were targeted. Also of significant interest is the vehicle for the attack — where this malware was spread via CNET’s Download.com as well as through MacUpdate.com — two ostensibly “safe” sources for software, from which victims downloaded what they thought were price tickers for the bitcoin and litecoin cryptocurrencies.

The latest version of OSX/CoinThief also included a browser extension for Firefox, which was no doubt popular with power users believing they were ahead of the game — but don’t take that as a bash against the Mozilla folks, as earlier OSX/CoinThief versions already included malicious browser extensions for Apple’s Safari and Google’s Chrome web browsers — all of which are automatically installed without alerting the user.

“The browser extensions were given the generic name of ‘Pop-Up Blocker’ and show a similarly generic description of ‘Blocks pop-up windows and other annoyances,’” the SecureMac report explains. “The malware additionally checks to see if various security programs or code development tools are present on infected systems, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.”

The report notes that these are only some of the steps taken by malware authors to disguise their payload from casual analysis, leading to greater infection rates.

“The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions,” the SecureMac report states. “[These] browser extensions look specifically for login credentials for many popular bitcoin websites as well as bitcoin wallet sites such as blockchain.info [and] when login credentials are identified, such as when a user logs in to check their bitcoin wallet balance, another component of the malware then sends that information back to a remote server run by the malware authors.”

This connection with the creators is a two-way street, as OSX/CoinThief can both send as well as receive commands and information from a remote server, which includes the ability to update itself to the newest version — and this exchange of information isn’t limited to the user’s bitcoin login credentials, but according to SecureMac also includes the username and UUID (unique identifier) for the infected Mac, as well as revealing the presence of a variety of bitcoin-related apps on the system for further targeting of users.

Download.com and MacUpdate.com are only the newest sources of OSX/CoinThief to be discovered, however, with SecureMac previously reporting on its spread through a GitHub download of the StealthBit app. The BitVanity malware also spread via GitHub.

GitHub is a popular repository for open source code that is trusted by web developers, but SecureMac found that the precompiled version of the StealthBit app available on the site did not match a copy generated from the source code, due to its malicious payload. This infected the systems of users who downloaded and ran the precompiled version of StealthBit — resulting in attacks causing the reported loss of significant bitcoin stashes.

Consider this carefully: the services and tools that many cryptocurrency users employ in hopes of securing and trading their coins are actually putting them at risk of easy theft.

As for who is responsible for the OSX/CoinThief attacks, SecureMac notes that the two variants it has seen share the same name and developer information as two apps found in Apple’s Mac App Store, but that an initial analysis of Mac App Store versions did not include the malicious payload found in the version available from Download.com and that it is unclear if there are other variants of OSX/CoinThief being distributed under different names or on other download sites; with more details to be revealed as available.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

profile

WIA Profile: Reba Rocket

As chief operating officer and chief marketing officer of Takedown Piracy, long at the forefront of intellectual property protection in adult entertainment, Rocket is dedicated to safeguarding the livelihoods of content creators and producers while fostering a more ethical and sustainable industry.

Women In Adult ·
opinion

Protecting Content Ownership Rights When Using AI

In today’s digital age, content producers have more tools at their disposal than ever before. Among these tools, artificial intelligence (AI) content generation has emerged as a game changer, enabling creators to produce high-quality content quickly and efficiently.

Corey D. Silverstein ·
opinion

How Payment Orchestration Can Help Your Business

An emerging payment solution is making waves in the merchant world: the payment orchestration platform (POP). It’s quickly gaining traction as a powerful tool for managing online payments — but questions abound.

Cathy Beardsley ·
opinion

Fine-Tuning Refund and Cancellation Policies

For adult websites, managing refunds and cancellations isn’t just about customer service. It’s a crucial factor in maintaining compliance with the regulations of payment processors and payment networks such as Visa and Mastercard.

Jonathan Corona ·
profile

WIA Profile: Laurel Bencomo

Born in Cambridge, England but raised in Spain, Laurel Bencomo initially chose to study business at the University of Barcelona simply because it felt familiar — both of her parents are entrepreneurs. She went on to earn a master’s degree in sales and marketing management at the EADA Business School, while working in events for a group of restaurants in Barcelona.

Women In Adult ·
profile

Gregory Dorcel on Building Upon His Brand's Signature Legacy

“Whether reflected in the storyline or the cast or even the locations, the entertainment we deliver is based on fantasy,” he elaborates. “Our business is not, and never has been, reality. People who are buying our content aren’t expecting reality, or direct contact with stars like you can have with OnlyFans,” he says.

Jeff Dana ·
opinion

How to Turn Card Brand Compliance Into Effective Marketing

In the adult sector, compliance is often treated as a gauntlet of mandatory checkboxes. While it’s true that those boxes need to be ticked and regulations must be followed, sites that view compliance strictly as a chore risk missing out on a bigger opportunity.

Jonathan Corona ·
opinion

A Look at the Latest AI Tools for Online Safety

One of the defining challenges for adult businesses is helping to combat the proliferation of illegal or nonconsensual content, as well as preventing minors from accessing inappropriate or harmful material — all the more so because companies or sites unable or unwilling to do so may expose themselves to significant penalties and put their users at risk.

Gavin Worrall ·
opinion

Know When to Drop Domains You Don't Need

Do you own too many domains? If so, you’re not alone. Like other things we accumulate, every registered domain means something to us. Sometimes a domain represents a dream project we have always wanted to do but have never quite gotten around to.

Juicy Jay ·
opinion

Understanding 'Indemnification' in Business Contracts

Clients frequently tell me that they didn’t understand — or sometimes, even read — certain portions of a contract because those sections appeared to be just “standard legalese.” They are referring, of course, to the specialized language used in legal documents, including contracts.

Corey D. Silverstein ·
Show More