| I’m Fer, a Mac user who learned the hard way that “normal” AV doesn’t catch modern wallet-stealer families (AMOS / Poseidon / Banshee / Atomic, etc.). So I built ShieldKey: a Swift/Rust, always-local layer that covers the specific attack surface of crypto wallets on macOS. What ShieldKey does today * Process-level wallet cage via EndpointSecurity + Sandbox: blocks anything touching wallet paths (~/Library/Application Support/…, browser Local Storage, USB HID for Ledger/Trezor) unless it’s on an allow list * Network Extension blocks known phishing domains before the browser even loads them * Clipboard / window-title watcher for seed patterns (base58 / hex) * 1 800 macOS stealer hashes in a compact YARA+SHA table (mmap, ~20 µs lookup) * One-click “wallet lock”: chmod browser-wallet storage to 000 and auto-eject HW wallets * 100 % offline; UI is SwiftUI, engine is a 4 MB static Rust daemon Why bother when objective-see or commercial AV exist? - Objective-see is awesome but pops LOTS of alerts—ShieldKey ships wallet-specific heuristics so users get one actionable alert, not 200.
- Commercial AVs flagged <10 % of the macOS stealer hashes we collected since Jan 2024 (VirusTotal data). They also don’t understand Ledger HID traffic or MetaMask’s plaintext vault. Architecture - shieldd (daemon): Rust, Tokio, subscribes to EndpointSecurity, FSEvents, HID, NetExt
- shieldctl (CLI): sends YAML → gRPC to daemon, emits JSON for UI
- ShieldKey.app: SwiftUI menu-bar wrapper
- Rules pack compiled into a single kcdb file (mmap B-Tree, O(log n)) Limitations - No in-browser JS detection; if you paste a seed, JS phishing can still grab it
- No rule revocation yet - whole pack must update
- Only tested on Monterey through Sonoma Roadmap - Signed rule updates over Tor (opt-in)
- Hardware-wallet micro-firewall (USB endpoint filter)
- Transparency log for notarized releases
- Public repo once code is hardened Try it / tear it apart Get DMG : https://getshieldkey.com
brew tap coming this week. shieldctl --dry-run shows every ES event. Looking for feedback: missed attack surfaces, EndpointSecurity edge cases, UI nits. If you’ve got macOS stealer samples I don’t detect, send hashes (or encrypted zips) to bugs@getshieldkey.com. |