A new campaign linked to the Lazarus Group is putting fresh pressure on crypto and fintech firms. It uses fake meetings and macOS malware to steal credentials and sensitive business data. Researchers say Lazarus Mach-O Man is the latest toolkit in that playbook, targeting high-value users who are more likely to hold wallet access, internal credentials, or privileged corporate information.

The campaign stands out because it does not depend on a software vulnerability. Instead, it relies on social engineering that gets the victim to do the attacker’s work. In reported cases, targets are contacted over Telegram, often through compromised or trusted-looking accounts. Once contact is established, they are pushed into fake meeting invites or support flows that end with them copying a malicious command into Terminal.

How the attack starts

According to security researchers, the lures mimic Zoom, Microsoft Teams, or Google Meet pages and claim there is a connection or verification issue that requires a quick fix. That “fix” is actually a command sequence that downloads and runs macOS malware on the Mac. The campaign has focused on financial organizations, including cryptocurrency, venture capital, and blockchain entities, with particular emphasis on crypto executives.

This approach matters because it lowers the technical barrier for the attackers while raising the risk for companies. A single employee or executive can expose browser sessions, credentials, system secrets, and internal access. They simply follow the instructions and the attacker does not need to break through traditional defenses first.

>>> Read more: ModStealer Malware Uses Fake Job Ads to Target Crypto Wallets

What the malware does

Researchers describe the toolkit as a collection of Mach-O binaries that perform different tasks after execution. SOC Prime said the malware chain includes components used to profile the infected host, create persistence through launch agents or daemons, and harvest browser extensions, cookies, Keychain data, and other credentials. In some reporting, the stolen data is then exfiltrated through Telegram-linked infrastructure.

That is what makes Lazarus Mach-O Man more than a simple infostealer headline. The toolkit appears modular, business-focused, and designed to support deeper compromise inside organizations. One successful infection can unlock access to trading systems, wallets, cloud services, and internal communications.

Part of a broader 2026 pattern

The new campaign also fits a wider shift already documented this year by major cybersecurity firms. Google Cloud’s Mandiant described a February intrusion in which a compromised Telegram account, a fake Zoom meeting, ClickFix attack technique, and AI-assisted deception were used against a crypto-sector target. Microsoft separately detailed a Sapphire Sleet operation that used fake recruiter outreach and malicious macOS files disguised as Zoom or SDK updates to steal passwords, financial data, and cryptocurrency-related information.

That continuity is important because it suggests these attacks are not isolated experiments. They are part of a maturing North Korea-linked tradecraft pattern that combines trusted communication channels, believable business lures, and macOS-native malware. This approach is difficult to detect, especially once a victim decides to cooperate.

>>> Read more: North Korean Hackers Use EtherHiding to Hide Crypto Malware

Why crypto firms should pay attention

Some crypto-focused coverage has tied the malware wave to recent large DeFi thefts. However, the clearest evidence in the reporting is about the intrusion method itself rather than direct proof that Mach-O Man drove each exploit. Even so, the risk to the sector is obvious. Crypto companies remain attractive targets. Executives, developers, and operations staff often hold the exact mix of wallet access, privileged credentials, and fast-moving authority that attackers want.

For that reason, Lazarus Mach-O Man is best viewed as a warning about operational security, not just malware naming. The campaign shows how a routine meeting invite can become the entry point for a much broader compromise. This risk is especially high in firms where one MacBook may connect personal messaging, production systems, and valuable digital assets.

The post Lazarus Expands Attack Strategy With Mach-O Man macOS Malware appeared first on CrispyBull.

• A crypto supply chain attack used malicious software packages linked to the dYdX protocol to drain user wallets without exploiting the protocol or its smart contracts.
• Attackers targeted off-chain tooling and dependencies, showing how wallet losses increasingly stem from compromised software rather than on-chain flaws.

Malicious software packages posing as tools linked to dYdX, a decentralized platform for crypto perpetual trading, were recently used to drain user wallets, without exploiting any vulnerability in the protocol itself. The incident reflects a broader pattern. Supply chain attacks are increasingly responsible for user losses across the crypto industry.

Rather than targeting smart contracts, attackers compromised the tools used to access them. This shift has made off-chain crypto attacks a primary risk vector, even as on-chain security improves.

What actually happened

Attackers published malicious npm packages and malicious PyPI packages, presenting them as legitimate tools connected to dYdX. They hosted the packages on public repositories that developers routinely use to download prebuilt software components, much like marketplaces for reusable code.

Once installed, the software acted as wallet draining malware. It quietly collected wallet credentials and enabled unauthorized transfers, often without triggering any visible errors or alerts. Any wallet that interacted with the compromised code had to be considered exposed.

The packages were eventually removed, but anyone who installed them before the removal was already at risk.

This wasn’t a protocol failure

The incident illustrates the difference between on-chain and off-chain crypto attacks. The dYdX protocol continued to operate normally, and the attack did not involve any smart contract vulnerability.

Instead, the compromise occurred entirely in the surrounding software layer. Off-chain crypto attacks exploit trust in developer tools and dependencies, areas that protocol audits do not cover. Hence, protocol security alone is no longer sufficient to prevent losses.

The shift from on-chain exploits to off-chain attacks

As smart contract security has improved, direct on-chain exploits have become more expensive and less reliable. So, attackers now focus on softer targets outside the protocol boundary and move the crypto attacks off-chain.

Dependency poisoning and fake tooling allow attackers to bypass hardened contracts and reach private keys directly, without engaging with blockchain defenses at all.

>>> Read more: ModStealer Malware Uses Fake Job Ads to Target Crypto Wallets

Why crypto is especially vulnerable to supply-chain attacks

Crypto’s software supply chain depends heavily on open-source packages and rapid iteration. Dependencies are often pulled from public repositories with limited verification.

These conditions make developer dependency attacks particularly effective because a single compromised package can expose private keys and trigger immediate losses.

To understand how these crypto supply chain attacks work, one must first recognize that the most fragile components often sit outside the blockchain itself.

What this means for users and developers

The incident underscores how wallet security in crypto now extends beyond phishing scams or flawed smart contracts. Increasingly, what puts funds at risk comes down to whether a user can actually trust the third-party software relied on.

For developers, developer dependency attacks turn routine choices into real risk decisions. Pulling a package, trusting an update, or skipping verification can now carry direct financial consequences.

>>> Related: Cardano Wallet Phishing Uses Fake Eternl Desktop Installer

Conclusion

The dYdX-related package incident helps explain why wallets get drained without smart contract hacks, even when protocols operate as intended. The losses did not stem from a failure of blockchain design, but from assumptions made outside it.

Seen in that light, a supply chain attack is less an anomaly than a byproduct of how crypto software is built and distributed today. Protocol security matures, so attackers increasingly exploit the trust placed in tooling, dependencies, and update paths sitting off-chain.

The post Wallet Drains via Fake dYdX Packages Show How Crypto Attacks Are Shifting Off-Chain appeared first on CrispyBull.

How ModStealer Malware Works

Unlike many threats that stick to a single platform, ModStealer is a cross-platform malware. It is capable of infecting Windows, macOS, and Linux systems. Once installed, it scans browsers for sensitive data, including login credentials and private keys from crypto wallets. What makes it especially dangerous is its ability to function as an undetectable malware. It slips past antivirus tools, leaving victims unaware their assets are at risk.

Fake Job Ads Fuel the Spread

Cybercriminals are relying on more than just technical sophistication. Researchers discovered that fraudulent job listings are being used as the entry point for the ModStealer malware. Unsuspecting job seekers, eager to apply, often download malicious files disguised as application documents or software tools. This blend of social engineering and stealthy coding creates a powerful combination. It exploits human trust as much as it exploits machine vulnerabilities.

>>> Read more: North Korea Crypto Hackers Undermine the Crypto Ecosystem

Why ModStealer Stands Out

Many malware campaigns in the past have targeted digital assets, but ModStealer pushes the threat landscape further. It combines social manipulation with invisible code execution. This allows it to bridge the gap between crypto phishing attacks and advanced endpoint evasion. According to Mosyle malware research, this capability highlights how attackers are evolving techniques to hit both users and the infrastructure they rely on.

Expert and Market Reactions

Cybersecurity firms warn that this type of attack is especially damaging for investors who rely on browser-based wallets for day-to-day transactions. Because these wallets are integrated into web browsers, they are often more exposed than hardware-based solutions. Industry experts caution that the malware’s cross-platform reach means no group of users, whether on Windows, Mac, or Linux, is safe. The discovery has quickly been flagged as one of the most pressing cybersecurity threats for crypto users this year.

Protecting Against ModStealer

Defending against the ModStealer malware requires both technical and behavioral precautions. Job seekers should double-check postings through official company websites before downloading attachments. For those holding digital assets, switching from browser wallets to hardware devices adds a critical layer of protection. Keeping operating systems updated and enabling advanced endpoint protection software can also help reduce exposure. Ultimately, crypto wallet security depends as much on vigilance against scams as on strong digital defenses.

>>> Read more: How Blockchain Fights Deepfake Scams in Crypto and Media

The rise of ModStealer malware highlights how cybercriminals are combining technical stealth with social engineering to drain cryptocurrency wallets. By spreading through malicious employment ads while remaining undetected by antivirus tools, it represents a new level of threat to digital asset holders. For investors and everyday users alike, the lesson is clear: protecting crypto requires more than antivirus software. It demands constant awareness of the human and technical risks shaping today’s digital economy.

The post Invisible ModStealer Malware Spreads Through Fake Job Ads to Drain Crypto Wallets appeared first on CrispyBull.