Mac Trojan Lifts Bitcoins from Digital Wallets


Related Links

Related Stories

  • Multi-platform Java Bot Provokes DDoS Floods
    A new malicious Java application aimed at fomenting widespread distributed denial-of-service (DDoS) attacks is making the rounds: a multi-platform bot capable of running on Windows, Mac OS and Linux.
  • Ongoing Bitcoin Targeted Phishing Campaign
    As the value of bitcoins increases, and their mining gets harder, it seems that the criminals are turning to old-fashioned theft to get hold of them. There is a current targeted phishing campaign apparently designed to relieve bitcoin users of their currency.
  • Bitcoin Payment Processor Breached – 1,295 Bitcoins (c$1m) Stolen
    BIPS, based in Copenhagen, Denmark and one of Europe's largest bitcoin payment processors, was breached last week. 1,295 bitcoins, worth around $1,000,000, were stolen. It is thought a two-stage attack – DDoS followed by hack – was employed.
  • Bitcoin Besieged by Hackers and Regulators
    Just as Bitcoin warns its users that Android-based bitcoin wallets are vulnerable to theft, so the New York Department of Financial Services subpoenas 22 digital currency companies and investors, and investigates the regulatory guidelines that should be put in place.
  • Mt. Gox suffers DDoS outage – again
    Mt. Gox, the world’s largest Bitcoin exchange, has suffered yet another distributed denial-of-service (DDoS) attack-related outage – making April a bit of a cruel month for the platform.

Top 5 Stories


Mac Trojan Lifts Bitcoins from Digital Wallets

10 February 2014

A new Trojan called OSX/CoinThief.A is stealing Bitcoins from unsuspecting Mac OS X users.

SecureMac has discovered the virus circulating in the wild, covertly spying on users’ web browsing traffic in order to steal login credentials for the wallets used to store the virtual currency. To do so, it simply targets traffic flowing to popular Bitcoin websites, including MtGox and BTC-e, as well as Bitcoin wallet sites like

It’s been rather successful: a user posting over the weekend on the Reddit discussion site reported losing 20 Bitcoins (worth upwards of $12,000 at the going exchange rate) to the thieves.

The malware comes disguised as an app to send and receive payments on Bitcoin Stealth Addresses. Initial infection occurs when a user installs and runs an app called StealthBit, available for download on GitHub, a website that acts as a repository for open-source code.

“The source code to StealthBit was originally posted on GitHub, along with a precompiled copy of the app for download,” SecureMac noted. “The precompiled version of StealthBit did not match a copy generated from the source code, as it contained a malicious payload. Users who downloaded and ran the precompiled version of StealthBit instead ended up with infected systems.”

OSX/CoinThief.A instead acts as a dropper and installs browser extensions for Safari and the Google Chrome web browser, without alerting the user. The web browsers are tricked into thinking that the user intentionally installed the extensions, and give no warning to the user that all of their web browsing traffic is now being monitored by the malicious extensions.

When a user logs in to check his or her Bitcoin wallet balance, another component of the malware then sends the information back to a remote server run by the malware authors.

OSX/CoinThief.A can both send information to as well as receive commands from a remote server, including a functionality to update itself to newer versions from the malware author, SecuerMac said.

“Information sent back to the server isn't limited to Bitcoin login credentials, but also includes the username and UUID (unique identifier) for the infected Mac, as well as the presence of a variety of Bitcoin-related apps on the system,” it warned.

The infection is difficult to detect

“Some steps were taken by the malware author to disguise the inner workings of OSX/CoinThief.A from casual analysis,” SecureMac noted. “The browser extensions were given the generic name of "Pop-Up Blocker" and show a similarly generic description of "Blocks pop-up windows and other annoyances."

The malware additionally checks to see if various security programs or code development tools are present on an infected system, which is sometimes done in an attempt to block security researchers from analyzing a piece of malware.

Users can help protect themselves by carefully parsing available reviews and information on any third-party apps before downloading.

This article is featured in:
Identity and Access Management  •  Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×