'CoinThief' Mac Malware Steals Bitcoins From Your Wallet

Malware hidden in a private wallet app is reportedly stealing large amounts of bitcoin from Mac OS X users.

AccessTimeIconFeb 10, 2014 at 12:45 p.m. UTC
Updated Sep 3, 2021 at 9:51 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

UPDATE (12th February, 11:35 GMT): SecureMac reports the bitcoin-stealing malware has spread to popular download sites like Download.com and MacUpdate, under several different names. If you think your machine could be infected, take a screenshot of the instructions here and disconnect from the internet immediately.

A Mac OS X trojan horse masquerading as a private bitcoin wallet app is responsible for "multiple" bitcoin thefts, according to Mac security researchers.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • , a Mac security consultancy that develops the MacScan anti-malware application and blogs about its research, released a report today warning of 'CoinThief.A'.

    Hidden within the open-source OS X bitcoin wallet app StealthBit, CoinThief.A monitors users' web traffic to steal login credentials for software wallets and popular bitcoin sites, including BTC-e, Mt. Gox, and Blockchain.info.

    The StealthBit app had been available on GitHub both as source code and a precompiled download, but the page has now been removed.

    Update: Versions of the malware have been found with numerous different names on other popular software download sites, such as Download.com and MacUpdate.com. BitVanity and StealthBit were distributed on Github, while Bitcoin Ticker TTM and Litecoin Ticker were distributed on Download.com and MacUpdate.com. It seems both app names were copied from legitimate apps in the Mac App Store, but the malicious payload was not found in the official Mac App Store copies of these apps.

    Mismatched code

    Suspicion arose when investigators discovered the precompiled version did not match the source (which more knowledgeable users could examine for themselves and needed to compile before using). The precompiled version contained the malware, whereas the open-source code did not.

    The report said:

    "Upon running the program for the first time, the malware installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions.

    Additionally, the malware installs a program that continually runs in the background, looking for bitcoin wallet login credentials, which are then sent back to a remote server."

    The browser extensions had innocuous sounding names like 'Pop-up Blocker' to avoid detection. Once installed, the trojan also searches the system for anti-malware software and logs unique identifiers (UUIDs) for each infected machine.

    Large thefts

    At least one Bitcoin Talk Forum user reported a whopping 20BTC theft after installing StealthBit, which was also posted on reddit.

    Other investigators noted several similarities between StealthBit and Bitvanity, another piece of notorious Mac malware that stole users' bitcoins last August. Bitvanity posed as a vanity wallet address generator that harvested addresses and private keys from software like the Bitcoin-Qt client.

    StealthBit's GitHub code repository was stored under the username 'thomasrevor' and a reddit user named 'trevorscool' posted an announcement about its development there on 2nd February. Last year, Bitvanity's GitHub code was posted under the name 'trevory'.

    As reported previously on CoinDesk, there are rich rewards for malware and ransomware developers trading in bitcoin thanks to its mostly unregulated and difficult-to-trace nature. Accomplices can be paid, and ransoms collected from anywhere in the world.

    Open-source security

    The discovery has highlighted the benefits (and issues) that surround open-source software. While the malware was not contained in the open-source version of the code, less able or impatient users may still have trusted the precompiled version on GitHub and installed without a second thought.

    The 'clean' open-source version, however, allowed programmers to find a discrepancy between the two versions within days of its appearance, leading to speedy warnings of the malware and, hopefully, fewer infections.

    Hacker Image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.