Bybit, the world’s second-largest cryptocurrency exchange, has uncovered a sophisticated macOS malware campaign targeting users searching for “Claude Code,” an AI development tool from Anthropic. The campaign, first identified in March 2026, utilized search engine optimization (SEO) poisoning to redirect users to a malicious domain disguised as a legitimate installation page, initiating a two-stage attack designed to steal credentials and target over 250 crypto wallet extensions. This incident highlights a growing trend where attackers exploit AI tools to deploy malware, emphasizing the need for enhanced security measures within the crypto sector. Bybit’s Security Operations Center leveraged AI-assisted workflows to swiftly identify and mitigate the threat, completing the analysis and detection measures within a single operational day.

Bybit: Bybit is a prominent cryptocurrency exchange focused on providing secure trading platforms, Web3 infrastructure, and tools that bridge traditional finance with decentralized ecosystems. It emphasizes advanced security measures and partners with blockchain protocols to support on-chain innovation. In this case, Bybit’s Security Operations Center uncovered and publicly detailed a multi-stage macOS malware campaign using SEO poisoning to target users searching for Claude Code, showcasing its role in proactive threat intelligence for the crypto industry.
David Zong: David Zong is the Head of Group Risk Control and Security at Bybit, leading efforts in cybersecurity, risk management, and threat detection for the exchange. He has overseen recent initiatives like AI-driven scam interceptions and detection of coordinated deposit attacks. In response to the macOS malware targeting Claude Code searches, Zong highlighted how Bybit’s AI-assisted SOC enables rapid full kill-chain analysis and industry defense strengthening.
Claude Code: Claude Code is Anthropic’s agentic AI coding system that analyzes entire codebases, implements changes across files, runs tests, and delivers committed code to assist developers in building features and automating tasks. It integrates deeply with development workflows, understanding context to handle complex engineering challenges. The malware campaign exploited searches for Claude Code by poisoning top Google results to redirect users to fake installers that deployed infostealers aimed at cryptocurrency wallet credentials.

Malware Trend: Attackers are using SEO poisoning on searches for AI developer tools to deploy macOS infostealers that harvest crypto wallet credentials.
Platform Risks: Recent macOS malware variants emphasize evasion techniques like sandbox detection and target browser extensions alongside desktop crypto applications.
Security Response: Crypto exchanges are applying AI workflows to accelerate malware triage, reverse engineering, and IOC extraction for faster mitigation.

Bybit, the world’s second-largest cryptocurrency exchange, has uncovered a sophisticated macOS malware campaign targeting users searching for “Claude Code,” an AI development tool from Anthropic. The campaign, first identified in March 2026, utilized search engine optimization (SEO) poisoning to redirect users to a malicious domain disguised as a legitimate installation page, initiating a two-stage attack designed to steal credentials and target over 250 crypto wallet extensions. This incident highlights a growing trend where attackers exploit AI tools to deploy malware, emphasizing the need for enhanced security measures within the crypto sector. Bybit’s Security Operations Center leveraged AI-assisted workflows to swiftly identify and mitigate the threat, completing the analysis and detection measures within a single operational day.

Bybit: Bybit is a prominent cryptocurrency exchange focused on providing secure trading platforms, Web3 infrastructure, and tools that bridge traditional finance with decentralized ecosystems. It emphasizes advanced security measures and partners with blockchain protocols to support on-chain innovation. In this case, Bybit’s Security Operations Center uncovered and publicly detailed a multi-stage macOS malware campaign using SEO poisoning to target users searching for Claude Code, showcasing its role in proactive threat intelligence for the crypto industry.
David Zong: David Zong is the Head of Group Risk Control and Security at Bybit, leading efforts in cybersecurity, risk management, and threat detection for the exchange. He has overseen recent initiatives like AI-driven scam interceptions and detection of coordinated deposit attacks. In response to the macOS malware targeting Claude Code searches, Zong highlighted how Bybit’s AI-assisted SOC enables rapid full kill-chain analysis and industry defense strengthening.
Claude Code: Claude Code is Anthropic’s agentic AI coding system that analyzes entire codebases, implements changes across files, runs tests, and delivers committed code to assist developers in building features and automating tasks. It integrates deeply with development workflows, understanding context to handle complex engineering challenges. The malware campaign exploited searches for Claude Code by poisoning top Google results to redirect users to fake installers that deployed infostealers aimed at cryptocurrency wallet credentials.

Malware Trend: Attackers are using SEO poisoning on searches for AI developer tools to deploy macOS infostealers that harvest crypto wallet credentials.
Platform Risks: Recent macOS malware variants emphasize evasion techniques like sandbox detection and target browser extensions alongside desktop crypto applications.
Security Response: Crypto exchanges are applying AI workflows to accelerate malware triage, reverse engineering, and IOC extraction for faster mitigation.