CookieMiner Steals Cryptocurrency Exchange Account Info From MacOS Users

Share Article

A brand-new malware has made its way to MacOS systems — collecting users’ credentials and forcing their devices to mine coins for the benefit of the hackers.

The MacOS immunity to malware is a myth that has been already busted on numerous occasions.

Now, cybersecurity experts from Palo Alto Networks have discovered another specimen of a malicious bug — based on OSX.DarthMiner.

This bug makes its way to the much-vaunted Apple operating system to steal cookie data from cryptocurrency exchanges and other sensitive information — like saved passwords and credit cards numbers — for the benefit of cybercriminals.

How It Works

While the manner in which the malware is disseminated is not clear yet, experts believe that the trojan uses backdoors with EmPyre Powershell to establish remote access and transfer data.

Once the malicious code finds its way into the system, it scans browsers cookies for the websites of popular cryptocurrency exchanges like Binance, Coinbase, Poloniex, Bittrex, Bitstamp, MyEtherWallet, etc. and searches for resources related to “blockchain.”

Once it finds what it was looking for, the Trojan shell script steals cookies from Chrome and Safari before uploading them to a remote server.

Triple Whammy

According to Palo Alto Networks, the primary aim of the malware is to gain access to users’ cryptocurrency exchange accounts. However, apart from that, CookieMiner downloads a malicious Python-Script ( to extract account data, banking card numbers, and passwords saved in Chrome.

If the infected computer synchronizes with iPhones via iTunes, the malware attempts to get access to SMS message backups. As a result, the malware intercepts one-time passwords to bypass two-factor authentication implemented by cryptocurrency exchanges for security purposes.

With a combination of stolen account login data, web cookies, and text messages, the hackers can receive full control over victim’s cryptocurrency wallets and trading accounts.

Furthermore, CookieMiner installs cryptocurrency mining malware that looks like a Monero (XMR) coin miner and runs quietly in the background to mine a lesser-known privacy coin Koto.

How to Protect Yourself

Jen Miller-Osborn, a Deputy Director of Threat Intelligence at Palo Alto Networks, recommends MacOS users be extra careful while downloading apps outside the official Apple store. Criminals tend to avoid this distribution channel, as Apple may find the malicious software during the review process.

Apart from that, experts remind users of the risks of storing personal information in web browsers. It is wise to clear cookies after visiting financial accounts — including cryptocurrency wallets.

Palo Alto Networks has notified Apple and Google about the potential threat.

What do you think of CookieMiner? Let us know your thoughts in the comments below!


All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.
Share Article

Financial translator, financial market observer, analyst and an editor with vast work experience in financial and cryptocurrency media outlets in Russia and abroad. For over ten years worked as a financial translator and content creator for Russian and international financial companies and media outlets, including Profinance Service, Saxo Bank, and Finance Magnates. Writing about cryptocurrency and blockchain industry on a daily basis since 2017. Love to stay on top of things and have a personal opinion about everything, but always try to follow the principles of objective reporting.

Follow Author

Daily signals, Bitcoin analytics and traders chat. Join our Telegram today!

Let’s Go

A step-by-step guide how to trade Bitcoin profitably

Learn now