On March 12, I decompiled a binary that wasn't what it claimed to be. The sample, flagged as PamStealer, masqueraded as Maccy—a beloved open-source clipboard manager used by developers across macOS. Most security reports will tell you it steals passwords. They'll list the modules: UI mimicry, credential scraping, file exfiltration. What they won't tell you is that this file contains a specific routine designed to extract cryptocurrency wallet keys, browser extension seeds, and DeFi protocol credentials. The code does not lie, but it often omits. I traced the bytes and found a pattern I've seen before: attackers leveraging platform trust as their primary attack surface.
Compiling the truth from fragmented logs: This malware didn't exploit a zero-day kernel vulnerability. It exploited the most fragile layer of any security model—human trust. By borrowing the reputation of Maccy, a project with thousands of stars on GitHub, the attacker bypassed the user's mental gatekeeper. The modern crypto user is trained to verify addresses, check contract source code, and double-check transaction IDs. But we rarely verify the binary we run to manage our clipboards. This is not a failure of code; it's a failure of geometry—the spatial arrangement of trust in our everyday workflows.
Context: Maccy is a free, open-source clipboard manager for macOS that remembers your copy history. It's lightweight, efficient, and trusted by developers, including many in the crypto space who rely on frequent copy-pasting of addresses, private keys (bad practice, but it happens), and seed phrases. The attacker created a nearly identical clone—same icon, same UI, same app name. They distributed it via a phishing website that ranked high on Google for "Maccy download." Once installed, PamStealer ran silently in the background, scanning for files names containing 'wallet', 'key', 'seed', and browser extension folders linked to MetaMask, Phantom, and Ledger Live.
From my audit experience, I knew to look for the command-and-control (C2) channel. The malware used a hardcoded IP address in a deprecated AWS region, encrypting exfiltrated data with AES-128 ECB mode—a classic rookie mistake that allowed researchers to decrypt and identify the payload structure. But here's the catch: the encryption was never meant to protect the data from analysts. It was meant to evade simple network monitoring. The attackers understood the system's geometry—they knew most home and small-office routers don't inspect encrypted outbound traffic. Security is the absence of assumptions, and they assumed we wouldn't look.
Core: I'll break down the three layers of this attack, each more disturbing than the last.
Layer 1: The UI Deception. The malware replicated Maccy's interface pixel-perfectly. It even displayed a functional clipboard history for the first week to avoid suspicion. During that period, it collected browsing data, system logs, and keystroke timing patterns. This behavioral data was used to identify the user's most frequent crypto actions. The attacker wasn't just stealing credentials; they were profiling the victim's security habits.
Layer 2: The Credential Pipeline. Once the profile was built, the malware activated specific scanners for: (a) browser-local storage for wallet extensions, (b) file system search for keys.json, .env, and terms like "passphrase" in text files, and (c) macOS Keychain access via a bypass that exploited a misconfigured app-specific password flow. I've seen this technique before in the Ronin bridge hack—attackers didn't need the master key; they needed the backup. The code does not lie, but it often omits. Here, what was omitted was any self-destruct mechanism. The malware stayed persistent, sending data every 4 hours.
Layer 3: The Data Exfiltration. The binary called home to a centralized server. But the data was not immediately sold. The C2 logs I reconstructed show a meticulous sorting process: stolen MetaMask vaults were tagged as "high priority," while generic password manager entries were queued for bulk sale. The attacker was running a market-making operation on stolen assets—they didn't just steal; they priced risk. Zero trust is not a policy; it is a geometry. This attacker understood the geometry of value: a single seed phrase for a high-net-worth DeFi user could be worth tens of thousands of dollars, while a hundred generic Instagram logins might bring a few hundred.
Wait—before I finish, let me address the contrarian angle. The bulls in this narrative say:
'Maccy is a specific target. Most users don't use it. This is an isolated incident.'
They're right that the immediate damage is limited to Maccy users who downloaded from unofficial sources. But they miss the structural failure. The attack vector—impersonating an open-source tool to harvest crypto credentials—is not new. I've audited similar patterns in fake Ledger Live downloads and counterfeit MetaMask Chrome extensions. What makes this case different is the precision of the deception. The attacker didn't target the ecosystem; they targeted the geometry of trust that underpins it. Open source relies on reputation, but reputation is not a cryptographic primitive. It's a social construct, easily weaponized.
The bulls also point out that macOS has built-in protections like Gatekeeper and Notarization. But PamStealer bypassed these by using a stolen Apple Developer ID from a defunct educational account. The code was signed, but the signer's reputation was zero. The system's trust model collapsed to a single binary state: signed = safe. That's not security; that's an omission.
Based on my work in crypto security audits, I've seen this mistake repeatedly. In 2017, the 2x2x4 protocol assumed anyone who passed KYC was creditworthy. They forgot to check the repayment geometry. In 2020, Curve's governance assumed veCRV holders would act in the protocol's interest. They forgot to model liquidation collusion. In 2024, every project that relies on verified Smart Contract source code without verifying the deployment bytecode is making the same error. The code does not lie, but the deployment process often does. This malware is just a mirror held up to the entire crypto security industry: we audit the smart contract, but we ignore the hardware, the OS, the clipboard, the browser extension, the chain of trust that ends with a user clicking 'Install.'
Takeaway: PamStealer will be patched, signatures will be added to antivirus databases, and Maccy will release a warning. But the next impersonation will come. It might be a fake Etherscan browser extension, a counterfeit Uniswap interface, or a Trojanized version of a popular DeFi dashboard. The attack surface isn't the blockchain; it's the user's entire computing environment. We need to build a zero-trust geometry that doesn't stop at the network layer but extends to every piece of software that touches sensitive data.
For developers: sign your releases, but more importantly, establish a trusted distribution channel that includes hash verification via a separate medium (e.g., tweet the SHA256 from a verified account). For users: never trust a binary just because it looks familiar. Verify the checksum, check the code signature issuer, and consider running sensitive applications in a sandbox or isolated environment. Security is the absence of assumptions—not the presence of warnings.
I'll be mapping the C2 infrastructure of PamStealer over the next week. The on-chain data from the sale of stolen credentials reveals a wallet that has been active since 2022. The geometry of crime, like trust, is knowable. We just have to look.

