On April 22, CertiK disclosed a North Korean Lazarus Group campaign called Mach-O Man. The target is not a bridge or a smart contract. The target is a person — specifically, the kind of person reading this paragraph. A crypto or fintech executive running a Mac, fluent in Terminal, receiving dozens of calendar invites a week.

The attack is not technically exotic. It is precisely calibrated to the cultural rhythm of the industry it is hitting.

The target is not a bridge or a smart contract. The target is the person reading this paragraph. The keychain is what the campaign is named for, and the keychain is what it walks out with.

Lazarus Group has stolen $500M+ in the last two weeks per CertiK — Drift Protocol ($285M, April 1) and KelpDAO ($292M, April 18) — and $6.7B cumulative since 2017. This is not a series of incidents. It is a state-funded industry.

What happens in the seven minutes after the click

The chain below is reconstructed from CertiK’s public disclosure, Bitso’s Quetzal Team technical report (April 21), and indicators of compromise shared by the ANY.RUN sandbox team. The kit is written in Go and compiled as native Mach-O binaries for both Intel and Apple Silicon. Researchers describe the post-compromise machine as clinically clean.

mach-o-man — execution trace
src: certik / quetzal / any.run

T+00:00  > Telegram invite arrives. Sender is a known
           industry contact whose account was compromised
           earlier in the campaign.

T+00:42  > Victim clicks meeting link. Fake lobby page
           renders, mimicking Zoom / Teams / Google Meet
           down to the favicon. "Connection issue
           detected. Paste this into Terminal to fix."

T+01:18  > Victim executes a single command in Terminal.
           Technique: ClickFix. Security tools observe
           user-initiated activity and do not intervene.

T+01:19  > Modular Mach-O kit unpacks. Installs
           LaunchAgents masquerading as OneDrive helper
           files. Opens a Telegram-based C2 channel.

T+02:30  > Keychain, browser cookies, saved passwords,
           OAuth tokens, Slack and SaaS auth state
           exfiltrated.

T+06:40  > Kit auto-deletes. No persistent process, no
           disk artifact, no scheduled task remaining for
           forensic recovery.

T+07:00  > Victim resumes a normal afternoon. Every
           service the victim is signed into now has a
           second silent user on different infrastructure.

Primary sources: CertiK via CoinDesk (April 22, 2026). Technical disclosure via Bitso Quetzal Team + ANY.RUN (April 21, 2026). Attack chain detail via crypto.news.

What actually left the building

The word “keychain” undersells the damage. macOS Keychain is not a password vault. It is the backing store for nearly every authenticated workflow the executive uses in a given day. Here is what Mach-O Man takes in roughly the first 90 seconds of a successful compromise.

  • Saved passwords — Every site Safari and Chrome remembered. Reused credentials extend the blast radius.
  • TOTP seeds — The generator underneath authenticator codes stored in Keychain. Not the one-time code — the seed.
  • OAuth + session tokens — Already-authenticated sessions for Slack, Notion, SaaS dashboards, wallet UIs, admin panels.
  • Browser cookies — Replayable login state. No password prompt needed. The victim’s device profile is reproducible.
  • SSH private keys — Git access, server access, infrastructure access, signing authority in any CI pipeline using them.
  • Cloud provider creds — AWS, GCP, Railway, Vercel. Direct access to production databases and secret stores.
  • Wallet artifacts — Keystore files, mnemonic phrases stored in plain files, 1Password / Bitwarden unlock state.
  • API keys — Every third-party service the executive develops against. Usually no key rotation in place.

An attacker does not need all of these. An attacker needs any one of them to move laterally and find the rest.

What Lorica does not do

Before the case, the disclaimer. Lorica does not stop Mach-O Man. The malware executes before the attacker ever reaches a withdrawal gate. Once the Terminal command runs, the keychain is gone, the cookies are gone, the tokens are gone, and no network-edge product stops an attacker from logging in — as the victim — the next morning. Endpoint detection does not stop it either. The kit is explicitly built to evade the EDR stack most crypto firms already pay for.

What Lorica does is sit on the other side of that compromise. At the moment the stolen credentials try to do something consequential, Lorica asks a question no existing layer asks. That is the narrow, specific claim, and it is the only claim worth making.

Six of seven checks pass

When a session with valid credentials walks up to a withdrawal, a wire, a new beneficiary, or an API-key rotation, every existing defense evaluates the session and signs off. The cryptographic questions all return the right answers. The only question that disagrees is the one almost nobody is asking.

Lazarus session · defense stack evaluation
score: 6 of 7 defenses waved through

[PASS]  Session token valid?         passes — stolen from keychain
[PASS]  Device fingerprint match?    passes — victim profile replayed
[PASS]  SMS or TOTP 2FA satisfied?   passes — seed in keychain
[PASS]  Password re-entry?           passes — stored in keychain
[PASS]  Geolocation reasonable?      passes — attacker VPNs to region
[PASS]  Behavioral anomaly score?    passes — first actions mimic normal
[BLOCK] Live human in front of cam?  BLOCKS — victim is at lunch

This is the structural point. The session is not lying. It is telling the truth. The truth is just that the user is not here.

Every perimeter check is internally consistent. Every perimeter check is also answering a question the attacker has already answered. The attacker has the token. The attacker has the cookie. The attacker has the seed. Ask any question that can be answered by data at rest on a Mac, and the attacker wins. Ask one that can only be answered by a human body in front of a camera, and the attacker loses.

The question every platform currently asks: “Does this session have credentials?”

The question that would have caught Lazarus: “Is a live human in front of this camera, right now, authorizing this specific action?”

The campaign, not the incident

Mach-O Man is not a standalone event. It is one track in a three-track operation Lazarus is running in April 2026. Each track is independently significant. Together they describe an institution at work.

  • APR 01 — Drift Protocol drained via pre-signed nonce social engineering · $285M
  • APR 18 — KelpDAO rsETH bridge exploited via forged cross-chain message · $292M
  • APR 21 — Quetzal Team publishes Mach-O Man technical disclosure · IoCs live
  • APR 22 — CertiK publicly attributes the campaign to Lazarus / Famous Chollima · active

The actor that took $577 million from two DeFi protocols in 18 days has now industrialized a credential-harvesting kit for the humans running the next 200 platforms. Drift was the rehearsal. KelpDAO was the operation. Mach-O Man is ammunition for whatever comes next.

LayerZero — whose bridge infrastructure KelpDAO was built on — publicly attributed the exploit to Lazarus and described the failure as a single-point-of-failure verifier design. They are correct. They are also describing a symptom of something bigger. In 2026, the actor who arrives at the front door already has the keys.

Working assumption for crypto / fintech security teams, April 2026:

  1. At least one executive on your team has pasted a command into Terminal within the last 30 days that did not do what it claimed to do.
  2. You do not know which one. The malware erased itself. Their laptop looks clean.
  3. Their credentials are not clean. Keychain, cookies, TOTP seeds, and OAuth tokens are now on infrastructure controlled by Lazarus.
  4. Every layer of defense downstream of that assumption — EDR, 2FA, session management, device fingerprinting, behavioral analytics — is already defeated by design.
  5. The only remaining layer that has not been pre-defeated is the one that asks the physical-world question: is a human in front of a camera right now?

Nothing else was going to stop them. One thing still could.

Lazarus is patient. Your next audit is not. The SEC, MiCA supervisors, insurance underwriters, and the company’s own board will not accept “we rotated credentials” as an answer once the next $500 million quarter lands and the forensics trace to a Terminal command pasted eight weeks earlier.

Every existing layer is an answer to the wrong question. The session is real. The credentials are real. The device is real. The geolocation is real. The attacker is real too, and is holding all of it. The only thing the attacker does not have, and cannot get from a Telegram message and a single line of shell, is the victim’s face at the moment a transaction is authorized.

That is the layer worth building a 2026 security posture around. Not because it is novel. Because it is the one Lazarus cannot forge.

Full documentation: loricaapi.com/docs · Live demo: loricaapi.com/demo