educational

Hackers Set Sights on Bitcoin-Stealing Malware

As if the world of bitcoin and its copycats was not cloudy enough, criminal hackers are now targeting bitcoin and other cryptocurrency users via malware injections that can (and have) resulted in the loss of the user’s coins.

While the more rabid of cryptocurrency supporters will likely dismiss these reports as they do all bad news surrounding their choice to use these technologies, even Bitcoin.org emphasizes that its users should take the time to inform themselves before using bitcoins “for any serious transaction.”

The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions.

“Bitcoin should be treated with the same care as your regular wallet, or even more in some cases,” states the Bitcoin.org website. “Bitcoin makes it possible to transfer value anywhere in a very easy way and it allows you to be in control of your money. Such great features also come with great security concerns.”

One underreported “great security concern” is the OSX/CoinThief Mac Trojan.

According to SecureMac’s Nicholas Raba, the company recently discovered a new Trojan known as OSX/CoinThief.A that effectively targets Mac OSX-based computers by spying on all of a user’s web traffic in order to steal any bitcoins that user has.

“This malware has been found in the wild, and there are multiple user reports of stolen bitcoins,” Raba revealed. “The malware, which comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses, instead covertly monitors all web browsing traffic in order to steal login credentials for bitcoin wallets.”

At the forefront of Apple system security since 1999, SecureMac strives to make Mac users’ computer experience secure and trouble free, via its security and privacy software offerings, MacScan and PrivacyScan.

The company offers an interesting report detailing how the CoinThief malware is initially installed on infected systems, along with data on how it disguises its behavior.

“The malware is taking the place of the main binary in the Trojanized versions of Bitcoin Ticker TTM and Litecoin Ticker, and is set up to run as an agent with a setting for LSUIElement in the Info.plist file. This makes it so the app doesn’t appear in the Dock,” states the SecureMac report. “A copy of the real Bitcoin Ticker TTM/Litecoin Ticker main binary is hidden in the app bundle [so] the first time a user runs the Trojanized version of Bitcoin Ticker TTM or Litecoin Ticker the invisible malware program is launched instead.”

CoinThief is as subtle as it is sophisticated — leaving victims unaware of the attack until they discovered their bitcoins or litecoins were missing — and unrecoverable.

“At run time, the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file,” the report explains. “It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.”

Although SecureMac notes that Apple was quick to update XProtect to defend against the two known variants of OSX/CoinThief, it is interesting that Mac rather than Windows users were targeted. Also of significant interest is the vehicle for the attack — where this malware was spread via CNET’s Download.com as well as through MacUpdate.com — two ostensibly “safe” sources for software, from which victims downloaded what they thought were price tickers for the bitcoin and litecoin cryptocurrencies.

The latest version of OSX/CoinThief also included a browser extension for Firefox, which was no doubt popular with power users believing they were ahead of the game — but don’t take that as a bash against the Mozilla folks, as earlier OSX/CoinThief versions already included malicious browser extensions for Apple’s Safari and Google’s Chrome web browsers — all of which are automatically installed without alerting the user.

“The browser extensions were given the generic name of ‘Pop-Up Blocker’ and show a similarly generic description of ‘Blocks pop-up windows and other annoyances,’” the SecureMac report explains. “The malware additionally checks to see if various security programs or code development tools are present on infected systems, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.”

The report notes that these are only some of the steps taken by malware authors to disguise their payload from casual analysis, leading to greater infection rates.

“The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that their web browsing traffic is now being monitored by the malicious extensions,” the SecureMac report states. “[These] browser extensions look specifically for login credentials for many popular bitcoin websites as well as bitcoin wallet sites such as blockchain.info [and] when login credentials are identified, such as when a user logs in to check their bitcoin wallet balance, another component of the malware then sends that information back to a remote server run by the malware authors.”

This connection with the creators is a two-way street, as OSX/CoinThief can both send as well as receive commands and information from a remote server, which includes the ability to update itself to the newest version — and this exchange of information isn’t limited to the user’s bitcoin login credentials, but according to SecureMac also includes the username and UUID (unique identifier) for the infected Mac, as well as revealing the presence of a variety of bitcoin-related apps on the system for further targeting of users.

Download.com and MacUpdate.com are only the newest sources of OSX/CoinThief to be discovered, however, with SecureMac previously reporting on its spread through a GitHub download of the StealthBit app. The BitVanity malware also spread via GitHub.

GitHub is a popular repository for open source code that is trusted by web developers, but SecureMac found that the precompiled version of the StealthBit app available on the site did not match a copy generated from the source code, due to its malicious payload. This infected the systems of users who downloaded and ran the precompiled version of StealthBit — resulting in attacks causing the reported loss of significant bitcoin stashes.

Consider this carefully: the services and tools that many cryptocurrency users employ in hopes of securing and trading their coins are actually putting them at risk of easy theft.

As for who is responsible for the OSX/CoinThief attacks, SecureMac notes that the two variants it has seen share the same name and developer information as two apps found in Apple’s Mac App Store, but that an initial analysis of Mac App Store versions did not include the malicious payload found in the version available from Download.com and that it is unclear if there are other variants of OSX/CoinThief being distributed under different names or on other download sites; with more details to be revealed as available.

Related:  

Copyright © 2025 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More Articles

profile

WIA Profile: Lexi Morin

Lexi Morin’s journey into the adult industry began with a Craigslist ad and a leap of faith. In 2011, fresh-faced and ambitious, she was scrolling through job ads on Craigslist when she stumbled upon a listing for an assistant makeup artist.

Women In Adult ·
profile

Still Rocking: The Hun Celebrates 30 Years in the Game

In the ever-changing landscape of adult entertainment, The Hun’s Yellow Pages stands out for its endurance. As one of the internet’s original fixtures, literally nearly as old as the web itself, The Hun has functioned as a living archive for online adult content, quietly maintaining its relevance with an interface that feels more nostalgic than flashy.

Jackie Backman ·
opinion

Digital Desires: AI's Emerging Role in Adult Entertainment

The adult industry has always been ahead of the curve when it comes to embracing new technology. From the early days of dial-up internet and grainy video clips to today’s polished social media platforms and streaming services, our industry has never been afraid to innovate. But now, artificial intelligence (AI) is shaking things up in ways that are exciting but also daunting.

Steve Lightspeed ·
opinion

More Than Money: Why Donating Time Matters for Nonprofits

The adult industry faces constant legal battles, societal stigma and workplace challenges. Fortunately, a number of nonprofit organizations work tirelessly to protect the rights and well-being of adult performers, producers and industry workers. When folks in the industry think about supporting these groups, donating money is naturally the first solution that comes to mind.

Corey D. Silverstein ·
opinion

Consent Guardrails: How to Protect Your Content Platform

The adult industry takes a strong and definite stance against the creation or publication of nonconsensual materials. Adult industry creators, producers, processors, banks and hosts all share a vested interest in ensuring that the recording and publication of sexually explicit content is supported by informed consent.

Lawrence G. Walters ·
opinion

Payment Systems: Facilitator vs. Gateway Explained

Understanding and selecting the right payment platform can be confusing for anyone. Recently, Segpay launched its payment gateway. Since then, we’ve received numerous questions about the difference between a payment facilitator and a payment gateway. Most merchants want to know which type of platform best meets their business needs.

Cathy Beardsley ·
opinion

Reinventing Intimacy: A Look at AI's Implications for Adult Platforms

The adult industry has long revolved around delivering pleasure and entertainment, but now it’s moving into new territory: intimacy, connection and emotional fulfillment. And AI companions are at the forefront of that shift.

Daniel Keating ·
profile

WIA: Sara Edwards on Evolving Clip Culture and Creator Empowerment

Though she works behind the scenes, Sara Edwards has had a front-row seat to the evolution of adult content creation. Having been immersed in the sector since 1995, she has a unique perspective on the industry.

Jackie Backman ·
profile

Segpay Marks 20 Years of High-Risk Triumphs

Payment processors are behind-the-scenes players in the world of ecommerce, yet their role is critical. Ensuring secure, seamless transactions while navigating a rapidly changing regulatory landscape requires both technological expertise and business acumen.

Jackie Backman ·
opinion

The SCREEN Test: How to Prepare for Federal Age Verification

For those who are counting, there are now 20 enacted state laws in the United States requiring age verification for viewing online adult content, plus numerous proposed laws in the works. This ongoing barrage has been exhausting for many in the adult industry — and it may be about to escalate in the form of a potential new AV law, this time at the federal level.

Corey D. Silverstein ·
Show More