Crypto Users on MacOS Targeted in Sneaky Token Vesting Malware Scam

Blockchain security firm SlowMist has warned that a new phishing attack is putting macOS users at high risk. In a latest post, the firm shared that Chainbase Lab has detected a phishing email disguised as an “audit/compliance confirmation.” The emails lured recipients to reveal sensitive information, including system credentials. 

Chainbase also revealed the malicious samples with SlowMist for deeper analysis. Both the firms confirmed that the campaign uses multi-stage, fileless malware specifically targeting Mac devices. 

https://twitter.com/SlowMist_Team/status/2018526540422926684?ref_src=twsrc%5Etfw” target=”_blank” rel=”noopener

The attackers initially ask users to “confirm the company’s legal English name,” then share a follow up email titled “FY2025 External Audit” or “Token Vesting Confirmation — deadline.” These messages contain Word or PDF attachments. 

However, these attachments are not regular documents, but rather disguised AppleScript malware. Opening these attachments allows the victims to unknowingly install malware that can allow hackers to steal important information from them. As such, this malware campaign is a mix of social engineering, technical deception, and sophisticated memory-resident malware.

How the malware works on macOS

The malware file is given the name “Confirmation_Token_Vesting.docx.scpt” and is designed to appear as a legitimate document file due to its use of a double extension. Once executed, the malware displays fake progress bars to resemble a system update or repair process. 

At the same time, it will display legitimate-looking password prompt pop-ups to steal system credentials. “When the user enters a password and clicks ‘OK,’ the script invokes the dscl command to verify whether the password is correct,” SlowMist said.

The malware also tries to sneak past Mac’s built-in privacy protections. It quietly gives itself access to your files, camera, screen, and keyboard. On top of that, it installs a hidden program that lets hackers control your Mac and run additional harmful code. The backdoor connects to a remote server to collect information about your Mac and run more harmful programs. Hackers hide their tracks using temporary websites like sevrrhst[.]com.

Connection to broader crypto phishing trends

This is not the first time SlowMist has alerted cryptocurrency users. In January 2026, the company raised awareness regarding a MetaMask scam involving false two-factor authentication messages. The victims were redirected to false sites, leading them to leak their seed phrases. 

https://twitter.com/SlowMist_Team/status/2008072132153291082?ref_src=twsrc%5Etfw” target=”_blank” rel=”noopener

In December 2025, a phishing attack occurred on a Solana digital wallet, causing users to sign transactions and resulting in the loss of over $3 million worth of cryptocurrency. The hackers changed the ownership of the digital wallet, giving themselves complete access without the owner’s knowledge. SlowMist explained, “You thought you just connected your crypto wallet to a website, but in reality, you gave all your money to a stranger.”

Besides going after wallets, SlowMist also warned earlier about AI-powered phishing. Hackers tampered with AI search results to show fake imToken wallet links. People who clicked these links risked malware or phishing attacks. Hence, the firm emphasized checking all URLs carefully and only downloading wallets from official sources.

https://twitter.com/SlowMist_Team/status/1907733948089966863?ref_src=twsrc%5Etfw” target=”_blank” rel=”noopener

This Mac phishing attack shows how clever hackers are becoming. People should be careful with unexpected emails, check attachments before opening, and make sure links are real.

Also Read: Korea’s FSS Launches VISTA to Combat Crypto Price Rigging