Bybit, the world’s second-largest cryptocurrency exchange by trading volume, has disclosed a sophisticated, multi-stage macOS malware campaign specifically targeting developers searching for Anthropic’s AI coding tool Claude Code — marking one of the first public disclosures by a centralized crypto exchange (CEX) of an active threat campaign targeting developers via AI tool discovery channels.
According to the exchange’s Security Operations Center (SOC), the campaign was first identified in March 2026 and combined search engine optimization (SEO) poisoning with credential harvesting, crypto wallet targeting, and persistent backdoor access.
The attackers elevated a malicious domain to the top of Google search results for “Claude Code”-related queries, redirecting victims to a spoofed installation page designed to closely resemble legitimate Anthropic documentation.
How the Attack Works
The campaign follows an infection structure that has become increasingly common in macOS-targeting infostealer families over the past 18 months.
Stage one: the Mach-O dropper
Once a victim downloads the trojanized installer, a Mach-O binary deploys an osascript-based info stealer. Bybit’s researchers noted that its behavior exhibits characteristics similar to AMOS (Atomic macOS Stealer) and Banshee—two malware families responsible for a wave of crypto-focused attacks on Apple users since 2023. The payload executes a multi-phase obfuscation sequence to extract the following:
- Browser credentials and autofill data
- macOS Keychain entries
- Telegram session files
- OpenVPN and other VPN profiles
- Cryptocurrency wallet data from over 250 browser-based wallet extensions and multiple desktop wallet applications
- Safari cookies, Apple Notes content, and files from common folders where sensitive data is stored
The malware also used social engineering tactics, including fake macOS password prompts to validate and cache user credentials—a hallmark AMOS technique that tricks users into typing their system password, which is then used to unlock the macOS Keychain and exfiltrate stored secrets.
In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure. This mirrors behavior previously documented in AMOS campaigns, where the malware silently uninstalls the legitimate hardware wallet app and installs a look-alike binary designed to harvest seed phrases and transaction data via a JavaScript-based phishing interface.
Stage two: the C++ backdoor
The second payload introduces a C++-based backdoor with advanced evasion capabilities, including sandbox detection and encrypted runtime configurations. It establishes persistence through system-level agents and enables remote command execution via HTTP-based polling—rather than maintaining persistent connections—which makes the traffic blend in with legitimate web activity and complicates detection.
Bybit identified multiple domains and command-and-control (C2) endpoints associated with the campaign, though the exchange noted that all have been defanged for public disclosure.
Why Claude Code?
Claude Code, launched by Anthropic, is an agentic AI coding tool that runs in a developer’s terminal and integrates with IDEs like VS Code and JetBrains. It has seen rapid enterprise adoption—Anthropic has publicly disclosed deployments like Stripe rolling it out to its 1,370 engineers, Wiz using it to migrate a 50,000-line Python library to Go in roughly 20 hours of active development, and Ramp cutting incident investigation time by 80%.
That mainstream traction is precisely what makes Claude Code an attractive SEO-poisoning target. Developers — particularly those in crypto, where many are self-employed or working across multiple environments — are high-value victims.
They typically hold direct access to codebases, cloud infrastructure, signing keys, and personal crypto wallets on the same machine. Stolen developer credentials can cascade into source code access, CI/CD pipeline compromise, and, in the most severe cases, operational access to the kind of multisig signing workflows that were at the center of the $1.4 billion Bybit hack in February 2025 and the $285 million Drift Protocol exploit in April 2026.
This campaign is part of a broader pattern. Microsoft Defender Experts reported in February 2026 that macOS-targeted infostealer campaigns increasingly use fake AI tool installers as delivery vehicles, with AMOS specifically observed distributing them through spoofed AI tool pages. Earlier research by Zscaler ThreatLabz found that SEO-poisoned pages for queries like “ChatGPT” and “Luma AI blog” were consistently ranking in Google’s top results and delivering infostealers such as Vidar, Lumma, and Legion Loader.
Bybit’s Technical Response
A notable aspect of the disclosure is Bybit’s detailed account of how its SOC used AI-assisted workflows across the malware analysis lifecycle—a live demonstration of defensive AI applied to an actively exploited campaign.
- Initial triage and classification of the Mach-O sample completed within minutes, with models flagging behavioral similarities to known malware families.
- AI-assisted reverse engineering and control-flow analysis reduced the deep inspection of the second-stage backdoor from an estimated six to eight hours to under 40 minutes.
- Automated IOC extraction pipelines identified command-and-control infrastructure, file signatures, and behavioral patterns, mapping them to established threat frameworks (such as MITRE ATT&CK).
- AI-assisted rule generation produced threat signatures and endpoint detection rules, which human analysts validated before pushing into production.
- AI-generated reporting drafts reduced threat intelligence turnaround time by approximately 70%.
“As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry,” said David Zong, Head of Group Risk Control and Security at Bybit. “Our AI-assisted SOC allows us to move from detection to full kill chain visibility within a single operational window… Looking to the future, we will face an AI war. Using AI to defend against AI is an inevitable trend.”
Bybit confirmed that malicious infrastructure was identified on March 12, 2026, with full analysis, mitigation, and detection measures completed the same day. Public disclosure followed on March 20, alongside detailed detection guidance.
Developers as Primary Crypto Targets
The campaign underscores a shift in attacker targeting that has reshaped crypto security throughout 2025 and 2026. Rather than exploiting smart contract bugs, state-sponsored and organized threat actors have increasingly pivoted to compromising human and operational layers—developer machines, signer endpoints, and multisig orchestration infrastructure.
The February 2025 Bybit hack itself was the proof of concept: rather than breaking any cryptographic primitive, Lazarus Group operatives compromised a developer machine at Safe (formerly Gnosis Safe), injected malicious JavaScript into the multisig signing UI, and watched Bybit’s cold wallet signers approve a transaction that drained 401,347 ETH.
The Drift Protocol exploit in April 2026 followed the same pattern, with attackers socially engineering Drift’s Security Council for approximately three weeks before pre-signing drain transactions.
The Crypto Times previously covered the wider April 2026 DeFi nightmare, in which 12 separate incidents drained $606 million across 18 days—with 95% of losses attributed to infrastructure-layer attacks exploiting governance, social engineering, or cross-chain message forgery rather than traditional code exploits.
The Claude Code campaign sits squarely within this trend. Developers are now the front line of crypto security—and the attack surface is no longer the contract; it’s the keyboard.
