DUBAI, UAE, April 21, 2026 /PRNewswire/ — Bybit, the world’s second-largest cryptocurrency exchange by trading volume, reported that its Security Operations Center (SOC) disclosed findings detailing a sophisticated, multi-stage malware campaign targeting macOS users searching for “Claude Code,” an AI-powered development tool from Anthropic.
The report marks one of the first known disclosures by a centralized crypto exchange (CEX) of an active threat campaign targeting developers via AI tool discovery channels, underscoring the sector’s growing role in frontline cybersecurity intelligence.
First identified in March 2026, the campaign used search engine optimization (SEO) poisoning to elevate a malicious domain to the top of Google search results. Users were redirected to a spoofed installation page designed to closely resemble legitimate documentation, triggering a two-stage attack chain focused on credential harvesting, crypto asset targeting, and persistent system access.
The initial payload, delivered via a Mach-O dropper, deployed an osascript-based infostealer exhibiting characteristics similar to known AMOS and Banshee variants. It executed a multi-phase obfuscation sequence to extract sensitive data including browser credentials, macOS Keychain entries, Telegram sessions, VPN profiles, and cryptocurrency wallet information. Bybit researchers identified targeted access attempts against more than 250 browser-based wallet extensions and multiple desktop wallet applications.
A second-stage payload introduced a C++-based backdoor with advanced evasion capabilities, including sandbox detection and encrypted runtime configurations. The malware established persistence through system-level agents and enabled remote command execution via HTTP-based polling, granting attackers ongoing control over compromised devices.
Bybit’s SOC leveraged AI-assisted workflows across the full malware analysis lifecycle, significantly accelerating response time while maintaining analytical depth. Initial triage and classification of the Mach-O sample were completed within minutes, with models flagging behavioral similarities to known malware families.
AI-assisted reverse engineering and control-flow analysis reduced the time required for deep inspection of the second-stage backdoor from an estimated six to eight hours to under 40 minutes. At the same time, automated extraction pipelines identified indicators of compromise (IOCs) – including command-and-control infrastructure, file signatures, and behavioral patterns – and mapped them to established threat frameworks.
These capabilities enabled same-day deployment of detection measures. AI-assisted rule generation supported the creation of threat signatures and endpoint detection rules, which analysts validated before being pushed into production environments. AI-generated reporting drafts further reduced turnaround time, allowing threat intelligence outputs to be finalized approximately 70% faster than traditional workflows.
“As one of the first crypto exchanges to publicly document this type of malware campaign, we believe sharing these findings is critical to strengthening collective defense across the industry,” said David Zong, Head of Group Risk Control and Security at Bybit. “Our AI-assisted SOC allows us to move from detection to full kill chain visibility within a single operational window. What used to require a team of analysts working across multiple shifts – decompilation, IOC extraction, report drafting, rule writing – was completed in a single session with AI handling the heavy lifting and our analysts providing judgment and validation.”
The investigation also revealed social engineering tactics, including fake macOS password prompts used to validate and cache user credentials. In some cases, attackers attempted to replace legitimate crypto wallet applications such as Ledger Live and Trezor Suite with trojanized versions hosted on malicious infrastructure.
The malware targeted a wide range of environments, including Chromium-based browsers, Firefox variants, Safari data, Apple Notes, and local file directories commonly used to store sensitive financial or authentication data.
Bybit identified multiple domains and command-and-control endpoints associated with the campaign, all of which have been defanged for public disclosure. Analysis indicates that attackers relied on intermittent HTTP polling rather than persistent connections, making detection more challenging.
The incident reflects a growing trend of attackers targeting developers through manipulated search results, particularly as AI tools gain mainstream adoption. Developers remain high-value targets due to their access to codebases, infrastructure, and financial systems.
Bybit confirmed that malicious infrastructure was identified on March 12, with full analysis, mitigation, and detection measures completed within the same day. Public disclosure followed on March 20, alongside detailed detection guidance.
#Bybit / #CryptoArk / #NewFinancialPlatform
About Bybit
Bybit is the world’s second-largest cryptocurrency exchange by trading volume, serving a global community of over 80 million users. Founded in 2018, Bybit is redefining openness in the decentralized world by creating a simpler, open and equal ecosystem for everyone. With a strong focus on Web3, Bybit partners strategically with leading blockchain protocols to provide robust infrastructure and drive on-chain innovation. Renowned for its secure custody, diverse marketplaces, intuitive user experience, and advanced blockchain tools, Bybit bridges the gap between TradFi and DeFi, empowering builders, creators, and enthusiasts to unlock the full potential of Web3. Discover the future of decentralized finance at Bybit.com.
For more details about Bybit, please visit Bybit Press
For media inquiries, please contact: media@bybit.com
For updates, please follow: Bybit’s Communities and Social Media
Discord | Facebook | Instagram | LinkedIn | Reddit | Telegram | TikTok | X | Youtube
Photo – https://mma.prnewswire.com/media/2961757/Image.jpg
Photo – https://mma.prnewswire.com/media/2961756/Bybit_Uncovers_AI_Assisted_macOS_Malware_Campaign_Targeting_Users_Searching_Claude.jpg
Logo – https://mma.prnewswire.com/media/2932256/Bybit_TNFP_Logo.jpg
View original content:https://www.prnewswire.co.uk/news-releases/bybit-uncovers-ai-assisted-macos-malware-campaign-targeting-users-searching-for-claude-code-302748784.html