Fake BlueWallet Site Targets Mac Users with AppleScript Malware to Steal Crypto and Credentials
A fake website impersonating the BlueWallet Bitcoin wallet tricks Mac users into running a malicious AppleScript that steals passwords, browser logins, cryptocurrency wallets, and performs clipboard hijacking.
A fake website impersonating the legitimate BlueWallet Bitcoin wallet is targeting Mac users with a social engineering attack that bypasses macOS security protections. The site, hosted at update-bluewallet[.]com, tricks visitors into downloading and executing a malicious AppleScript file that steals saved passwords, browser logins, cryptocurrency wallets, and documents. It also performs clipboard hijacking, silently replacing copied wallet addresses with attacker-controlled ones.
The attack relies entirely on social engineering rather than technical exploits. The fake download page walks victims through the process step by step, instructing them to open the downloaded 'BlueWallet Installer.applescript' file in macOS's built-in Script Editor and press ⌘R to run it. Because the script is executed manually by the user through a trusted Apple tool, it sidesteps macOS's notarization and Gatekeeper checks that would normally block unsigned applications.
Once executed, the AppleScript downloads a second-stage payload from a remote server and runs it in the background with all output suppressed. The payload, saved as a hidden file named .sysupd.sh in /tmp, establishes persistence and begins stealing data. It targets browser-stored credentials, cryptocurrency wallet files, SSH keys, AWS credentials, and other sensitive documents. The malware also monitors the clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled addresses, a technique known as clipboard hijacking.
The campaign's technical sophistication is minimal, but its social engineering is carefully crafted. The fake website uses a domain name that closely resembles the real BlueWallet site (bluewallet.io) and includes a download timer that triggers automatically. After a short delay, the page rewrites its status text to resemble setup instructions, even drawing a small blue play triangle to match the Script Editor interface. The attackers chose AppleScript over a packaged application specifically to bypass macOS security controls.
BlueWallet itself has not been compromised. The attackers have simply stolen the brand's name and design to make their malicious download appear trustworthy. Simply visiting the fake website poses no risk; the attack only succeeds if the user downloads and runs the AppleScript file. Users who have done so should assume their device is compromised and take immediate action, including disconnecting from the network, changing passwords from a trusted device, and moving cryptocurrency to a new wallet.
This campaign highlights a growing trend in macOS malware: attackers increasingly rely on social engineering to trick users into bypassing built-in security protections. As operating systems become better at blocking malicious software, threat actors are investing more effort in convincing people to click through warnings and run scripts manually. Users should be suspicious of any download that comes with instructions to open it in a scripting tool, developer utility, or Terminal window and press 'Run.'
For those who may have been affected, security experts recommend running a full antivirus scan, checking for unfamiliar files in ~/Library/LaunchAgents, looking for a hidden .sysupd.sh file in /tmp, and rotating cloud and SSH credentials if sensitive files were present. When in doubt, backing up data and reinstalling macOS from a known-good source is the safest course of action.