Malware Masquerade: Claude Code Lures Crypto Cowboys to the Slaughter

by

In the dusty plains of the digital frontier, where code is the new gold and developers are the cowboys, a new kind of rustler has emerged. Bybit, the second-biggest sheriff in the cryptocurrency town, has blown the whistle on a cunning macOS malware campaign. These varmints are targeting developers on the prowl for Anthropic’s AI coding tool, Claude Code, like prospectors drawn to a false gold rush.

The Security Operations Center (SOC) at Bybit, them being the sharp-eyed deputies of this tale, spotted this scheme back in March 2026. These outlaws weren’t just whistling Dixie-they’d rigged the search engine trails, leading unsuspecting developers to a poisoned watering hole. A malicious domain, dressed up like a legitimate Claude Code installation page, sat waiting at the top of Google’s search results, ready to siphon off credentials like a thief in the night.

The malware, a sneaky little critter, behaved much like its notorious cousins, AMOS and Banshee, two troublemakers that’ve been plaguing Apple users since 2023. Once a developer fell for the ruse and downloaded the trojanized installer, a Mach-O binary unleashed an osascript-based info stealer. This sly fox went after browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and even cryptocurrency wallet data from over 250 browser extensions and desktop apps. It didn’t stop there-it swiped Safari cookies, Apple Notes, and files from folders where folks stash their secrets.

But these bandits weren’t just after your average loot. They used social engineering tricks, like fake macOS password prompts, to coax users into handing over their system passwords. With that, they could crack open the macOS Keychain and make off with stored secrets. In some cases, they even tried to swap out legitimate crypto wallet apps like Ledger Live and Trezor Suite with trojanized versions, aiming to harvest seed phrases and transaction data through a phishing interface.

The second stage of this caper introduced a C++-based backdoor, a real slick operator with advanced evasion tricks. It set up shop through system-level agents, enabling remote command execution via HTTP-based polling. This made its traffic blend in with regular web activity, slipping past detection like a shadow in the night.

Now, why Claude Code? Well, it’s the shiny new toy in town, an AI coding tool that’s been adopted by big shots like Stripe and Wiz. Developers, especially those in the crypto wild west, are high-value targets. They’ve got access to codebases, cloud infrastructure, signing keys, and personal crypto wallets-all on the same machine. Steal a developer’s credentials, and you could compromise source code, CI/CD pipelines, and even multisig signing workflows. That’s how the Bybit hack in February 2025 and the Drift Protocol exploit in April 2026 went down-no fancy code exploits, just good old-fashioned social engineering and operational compromise.

Bybit’s SOC didn’t just sit on their hands, though. They brought out the big guns-AI-assisted workflows that sliced through the malware analysis like a hot knife through butter. Initial triage and classification were done in minutes, reverse engineering was cut from hours to under 40 minutes, and automated IOC extraction pipelines mapped the threat to established frameworks. AI even drafted the reports, shaving off 70% of the turnaround time. “We’re in an AI war,” said David Zong, Bybit’s Head of Group Risk Control and Security. “Using AI to defend against AI is the only way forward.”

This campaign is part of a broader trend. Developers are the new frontier in crypto security. The attack surface isn’t the code anymore-it’s the keyboard. And as long as there’s gold in them thar hills, the varmints will keep coming.

Read More

2026-04-22 16:36