Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Coinbase India Head Addresses Re-Entry Launch Glitches and the 12-Month Roadmap
    Inside the Trump Family’s $1.2B Crypto Windfall Who Paid the Price
    Inside the Trump Family’s $1.2B Crypto Windfall: Who Paid the Price?
  • Opinion
    OpinionShow More
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
    Is Crypto Dying, or Is Pump.fun Turning It Into an Attention Casino
    Is Crypto Dying, or Is Pump.fun Turning It Into an Attention Casino?
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
Industry

Crypto Users on MacOS Targeted in Sneaky Token Vesting Malware Scam

The attachments shared in email to victims seem regular documents, but it all was disguised AppleScript malware.

Written By Kenrodgers Fabian Kenrodgers Fabian
Fact Checked by Gopal Solanky Gopal Solanky
Published 2026-02-03·Updated 5 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
Crypto Users on MacOS Targeted in Sneaky Token Vesting Malware Scam

Key Highlights

  • Mac users face new phishing risks; fake audit emails can steal passwords and install hidden malware.
  • Hackers use disguised AppleScript files and backdoors to control Macs and bypass privacy protections.
  • Phishing and wallet related scams gain as crypto’s popularity grows worldwide.

Blockchain security firm SlowMist has warned that a new phishing attack is putting macOS users at high risk. In a latest post, the firm shared that Chainbase Lab has detected a phishing email disguised as an “audit/compliance confirmation.” The emails lured recipients to reveal sensitive information, including system credentials. 

Chainbase also revealed the malicious samples with SlowMist for deeper analysis. Both the firms confirmed that the campaign uses multi-stage, fileless malware specifically targeting Mac devices. 

🚨 Threat Intelligence | Analysis of Token Vesting Phishing Poisoning 🚨

Recently, @ChainbaseHQ detected a phishing email campaign disguised as “audit/compliance confirmation” and shared the sanitized samples with the SlowMist team. We jointly analyzed the campaign and confirmed… pic.twitter.com/0em6y2M1k6

— SlowMist (@SlowMist_Team) February 3, 2026

The attackers initially ask users to “confirm the company’s legal English name,” then share a follow up email titled “FY2025 External Audit” or “Token Vesting Confirmation — deadline.” These messages contain Word or PDF attachments. 

However, these attachments are not regular documents, but rather disguised AppleScript malware. Opening these attachments allows the victims to unknowingly install malware that can allow hackers to steal important information from them. As such, this malware campaign is a mix of social engineering, technical deception, and sophisticated memory-resident malware.

How the malware works on macOS

The malware file is given the name “Confirmation_Token_Vesting.docx.scpt” and is designed to appear as a legitimate document file due to its use of a double extension. Once executed, the malware displays fake progress bars to resemble a system update or repair process. 

At the same time, it will display legitimate-looking password prompt pop-ups to steal system credentials. “When the user enters a password and clicks ‘OK,’ the script invokes the dscl command to verify whether the password is correct,” SlowMist said.

The malware also tries to sneak past Mac’s built-in privacy protections. It quietly gives itself access to your files, camera, screen, and keyboard. On top of that, it installs a hidden program that lets hackers control your Mac and run additional harmful code. The backdoor connects to a remote server to collect information about your Mac and run more harmful programs. Hackers hide their tracks using temporary websites like sevrrhst[.]com.

Connection to broader crypto phishing trends

This is not the first time SlowMist has alerted cryptocurrency users. In January 2026, the company raised awareness regarding a MetaMask scam involving false two-factor authentication messages. The victims were redirected to false sites, leading them to leak their seed phrases. 

🚨 New #metamask phishing scam alert

Attackers are impersonating a “2FA security verification” flow, redirecting users via look-alike domains to fake security warnings with countdown timers and “authenticity checks.”

The final step asks for your wallet recovery phrase — once… pic.twitter.com/3bX9U1wZbs

— SlowMist (@SlowMist_Team) January 5, 2026

In December 2025, a phishing attack occurred on a Solana digital wallet, causing users to sign transactions and resulting in the loss of over $3 million worth of cryptocurrency. The hackers changed the ownership of the digital wallet, giving themselves complete access without the owner’s knowledge. SlowMist explained, “You thought you just connected your crypto wallet to a website, but in reality, you gave all your money to a stranger.”

Besides going after wallets, SlowMist also warned earlier about AI-powered phishing. Hackers tampered with AI search results to show fake imToken wallet links. People who clicked these links risked malware or phishing attacks. Hence, the firm emphasized checking all URLs carefully and only downloading wallets from official sources.

🚨SlowMist Security Alert🚨

Beware of AI Pollution! We tested mainstream AI assistants for @imTokenOfficial's official website — some returned phishing links!🎣

✅The official website of imToken is: https://t.co/LnehWwXDE0

⚠️AI boosts productivity, but many treat it as a… pic.twitter.com/m3FQ9TkbbG

— SlowMist (@SlowMist_Team) April 3, 2025

This Mac phishing attack shows how clever hackers are becoming. People should be careful with unexpected emails, check attachments before opening, and make sure links are real.

Also Read: Korea’s FSS Launches VISTA to Combat Crypto Price Rigging

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News
Google News Banner

TAGGED:BlockchainCrypto Scam
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link
Fabian is Crypto Journalist at The Crypto Times
By Kenrodgers Fabian
Follow:
Kenrodgers Fabian is a Crypto Journalist at The Crypto Times, based in Kenya. He reports on high-profile global financial fraud, investment scams, phishing schemes, and cross-chain protocol exploits. His coverage heavily tracks systemic crypto vulnerabilities, ecosystem security breaches, and central bank shifts toward stablecoins and tokenized finance infrastructure. All investigative coverage on crypto cybercrimes and security events passes through his desk before publication. His four years in fast-paced crypto media have shaped his structured approach to deciphering malicious smart contracts, verifying data-heavy fraud cases, and providing accurate reporting on digital currency risks.
Gopal Solanky, Senior Reporter for Markets and Protocols at The Crypto Times
By Gopal Solanky Sr. Crypto Journalist
Follow:
Gopal Solanky is a Senior Reporter for Markets & Protocols at The Crypto Times, based in Ahmedabad. He covers institutional crypto adoption, Bitcoin treasury strategies, DeFi markets, protocol ecosystems, Ethereum network activity, Hyperliquid, on-chain trends, and broader digital asset market movements. Gopal has been active in the crypto ecosystem for more than six years. Before joining The Crypto Times full-time in 2023, he worked as a freelance crypto content writer, developing a strong understanding of blockchain infrastructure, DeFi protocols, market cycles, token mechanics, and peer-to-peer systems. His reporting focuses on explaining how protocols work, why market movements happen, and how institutional and on-chain activity affects crypto investors and builders. At The Crypto Times, Gopal also hosts on-the-record interviews with regional Web3 founders, protocol teams, and ecosystem leaders. His work has been cited by external publications, including Vulture.com, in coverage of major crypto stories such as the Hawk Tuah memecoin controversy. His reporting has also contributed to The Crypto Times’ coverage of major industry events, including FTX-related developments, institutional crypto adoption, and emerging protocol narratives. Gopal holds a Bachelor’s degree in Computer Applications, giving him a technical foundation for analyzing blockchain systems, crypto infrastructure, and market data.

Latest News

Pak Deputy PM Ishaq Dar's Relative Arrested in Crypto Extortion Case
Pak Deputy PM Ishaq Dar’s Relative Arrested in Crypto Extortion Case
Kalshi Nears $10B Monthly Volume as Prediction Markets Grow
Kalshi Nears $10B Monthly Volume as Prediction Markets Grow
Algorand Calls for Shared Post-Quantum Crypto Security Standards
Algorand Calls for Shared Post-Quantum Crypto Security Standards
Vitalik Buterin Unveils Lean Ethereum Roadmap for Next Era
Vitalik Buterin Unveils Lean Ethereum Roadmap for Next Era 
Bitcoin Miner IREN Awards Co-CEOs $700M in Stock
Bitcoin Miner IREN Awards Co-CEOs $700M in Stock

Find Us on Socials

You may also like

Australian MP Discloses XRP as Only Crypto Holding

Fake Job, Real Prison: Chinese Man Jailed for 30 Months Over Crypto Scam

Fake Job, Real Prison: Chinese Man Jailed for 30 Months Over Crypto Scam

Sui AI Agents Smash Over 6M TPS in Live Stress Test

Sui AI Agents Smash Over 6M TPS in Live Stress Test

Moonwell Alerts Users on Moonbeam Network Shutdown

Moonwell Alerts Users on Moonbeam Network Shutdown

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information