New Mac Trojan in the Wild Steals Your Bitcoins

| News

SecureMac announced on Sunday that it found a new Mac trojan in the wild called OSX/CoinThief.A that "spies on Web traffic to steal Bitcoins." By watching your Web-based traffic, the app looks for Bitcoin-related logins and passwords so that the bad guys can then use those logins to steal your Bitcoins.


The malware is being distributed through an open source app called StealthBit, an app that ostensibly generated so-called stealth-addresses, or one-time use addresses for even more anonymous Bitcoin transactions. According to SecureMac, this app was distributed on Github, where the source was made available.

Along with the source, a pre-compiled version of the app was posted that didn't match the source code and included the OSX/CoinThief.A malware. As with all trojans, this malware relied on the user deliberately installing the software and entering their admin credentials to do so.

The app also installs a browser extension called "Pop-Up Blocker" to do its snooping. This innocuously-named extension has an equally innocuous description that says, "Blocks pop-up windows and other annoyances." Both the name and the description are lies, however, as its purpose is to spy on you.

Worse, the malware includes software that runs in the background that looks Bitcoin-related software on your Mac, and it can both send information to a remote server and receive instructions from that server. We've asked SecureMac for the name of this background process, and will update this article when we hear more.

Popular TMO Stories



It’s not really “in the wild”. You had to download it yourself from github and install it yourself, entering your admin password and ignoring several warnings from MacOS X. If you don’t know what github is, you are safe.

Bryan Chaffin

Hey gnasher: “In the wild” is used to distinguish between malware that is actually out there and a security exploit discovered by researchers that has not been turned into malware or otherwise had users exposed to it.

In this case, this malware is in the wild—but as you noted, it’s not a virus, meaning it’s only being distributed to people who download the trojan.

I’m working on a followup now about it appearing on, a much more frequented site than github (you made a great point about github, BTW).

It will include instructions for removing the malware.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account