Gate News message, April 22 — North Korean-linked hacking group Lazarus has launched attacks targeting cryptocurrency wallets using a newly discovered malware called Mach-O Man, according to a malware analysis report released on April 21 by security firm ANY.RUN. The malicious code is designed to steal keychain data, browser credentials, and login sessions from macOS systems to gain unauthorized access to digital asset wallets and exchange accounts.
Unlike previous Lazarus campaigns, this attack specifically targets Apple macOS users. The malware collects login sessions and authentication credentials from a victim’s Mac device, which are then used to compromise wallet access and exchange account credentials. The primary targets include employees at digital asset companies, developers, and executives. ANY.RUN warned that compromising a single account could expose both wallet access rights and internal corporate systems, potentially leading to large-scale asset theft.
The malware is distributed via ClickFix, a social engineering technique that uses fake error messages and pop-ups to trick users into copying and executing malicious commands. Attacks are primarily conducted through Telegram using compromised personal accounts, with victims directed to fake meeting links resembling Zoom, Microsoft Teams, or Google Meet. Users are then prompted to execute commands under the guise of resolving connection issues. This user-initiated execution method can easily bypass traditional security systems.
The disclosure comes following the Kelp DAO hack on April 20, which resulted in the theft of 116,500 rsETH (restaked Ethereum). LayerZero identified TraderTraitor, a Lazarus-affiliated organization, as responsible for the attack. rsETH is distributed across multiple blockchains, with cross-chain transfers handled by LayerZero’s omnichain fungible token (OFT) standard.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
AI16Z, ELIZAOS Creators Sued Over $2.6B Fraud Allegations; Token Crashes 99.9% From Peak
Federal class action accuses AI16Z/ELIZAOS of a $2.6B crypto fraud via fake AI claims and deceptive marketing, alleging insider favoritism and a staged autonomous system; seeks damages under consumer protection laws.
Abstract: This report covers a SDNY federal class-action filed April 21 accusing AI16Z and its rebrand ELIZAOS of a $2.6 billion crypto fraud involving fake AI claims and deceptive marketing. The suit alleges a manufactured link with Andreessen Horowitz and a non-autonomous system. It details a peak valuation in early 2025, a 99.9% crash, and about 4,000 losing wallets, with insiders receiving ~40% of new tokens. Plaintiffs seek damages and equitable relief under New York and California consumer-protection laws. Regulators in Korea and major exchanges have warned or suspended related trading.
GateNews13m ago
Ripple CEO Garlinghouse Signals 75% Confidence in Legal Resolution by End of April
Ripple CEO Garlinghouse says there is about a 75% chance of a final resolution by end of April, signaling progress in the long-running case and its broader implications for digital asset regulation.
GateNews2h ago
Privacy Protocol Umbra Shuts Down Frontend to Block Attackers from Laundering Stolen Kelp Funds
Gate News message, April 22 — Privacy protocol Umbra has shut down its frontend website to prevent attackers from using the protocol to transfer stolen funds following recent attacks, including the Kelp protocol breach that resulted in losses exceeding $280 million. Approximately $800,000 in stolen
GateNews5h ago
Justin Sun sues World Liberty Financial, alleging WLFI tokens were wrongfully frozen
According to a report by Bloomberg on April 22, TRON founder Justin Sun has filed a lawsuit in the federal court in California against World Liberty Financial (WLFI). WLFI is a decentralized finance (DeFi) project backed by the son of U.S. President Donald Trump. In a statement released on Wednesday, Justin Sun said he decided to pursue legal action after attempting to resolve the dispute out of court but being refused.
MarketWhisper6h ago
Dissatisfied with the tokens being frozen! TRON founder Justin Sun sues the Trump family’s WLFI
The conflict between TRON founder Justin Sun and World Liberty Financial (WLFI), a crypto project by the Trump family, has officially escalated from community sparring into a federal lawsuit. On April 22, Sun said that he has filed a lawsuit in the U.S. federal court in California against World Liberty Financial, claiming that his legitimate rights as a WLFI token holder have been violated, including the tokens being frozen, his governance voting rights being stripped, and even being threatened with having his tokens directly destroyed.
WLFI investor tokens are locked up after Trump takes office
On X, Sun wrote that he still supports the direction of Trump and his administration in promoting crypto-friendly policies in the United States. This lawsuit does not change his view of the Trump administration; but at the same time, he called out that the actions of “some people” within the World Liberty project team have deviated from…
ChainNewsAbmedia6h ago
