Why Join the Navy if You Can Be a Pirate?

You need Photoshop for a side project. The subscription is expensive. You search for a free Mac download, land on a site that looks good enough, and within an hour, the app is running. A few weeks later, your Mac is hot even when you're not doing much. The fans stay loud. The battery drains fast. Activity Monitor shows a process with a name you do not recognize, chewing through CPU in the background. That "free" app may have cost you your machine's processing power, your saved passwords, your browser sessions or access to the files on your disk. That trade is more common than many Mac users think. 

In the first 48 hours after we began tracking one recent cracked software distribution wave, our protections blocked about 108,000 attempts to launch these applications on macOS systems. This is a count of blocked launch attempts recorded by one of our shields, not unique devices. Of those detections, 58% came from Macs still supported by Apple, while 42% came from systems that no longer receive Apple's current support. The pattern is already clear: even for MacOS, cracked apps are still a practical delivery channel for cryptominers, infostealers, adware and long-term persistence. 

The signature that keeps showing up 

Open enough cracked Mac apps and you start to see recurring patterns. One of the patterns we see quite often is a string left by the TNT group: 

.TNT - why join the navy if you can be a pirate 

Still, this story will not be about them but rather the whole distribution pipeline around them. 

A crack may start as a modified version of a legitimate app with license checks removed. After that, it often moves through mirror sites, torrent uploads, forum reposts, Telegram channels and re-packed archives. Every handoff is another chance to add something extra to the file. That is the real problem. Users rarely download a package from a trusted source. They are downloading whatever the last person in the chain decided to upload. 

Why people still download cracked Mac apps 

Cost is one of the obvious reasons. A subscription can feel absurd when you need an app for one class, one freelance project or one weekend task. There is another reason too: old hardware. Plenty of people still use older Macs that work well enough for everyday tasks, but no longer run the latest macOS release. Once that happens, the legitimate software market starts shrinking around them. New versions no longer support old releases; official downloads for old versions get harder to find and compatibility drops. The machine still works, but the software ecosystem has moved on. 

That is exactly when cracked software starts to look practical. It promises a version that runs on old hardware, costs nothing and solves the problem immediately. What it does not say is that older Macs are often already at a disadvantage. They may miss newer security features and recent patches. If the installation also tells the user to weaken built-in protections, the system becomes much easier to abuse. 

How cracked apps reach users 

Cracked macOS software spreads through a loose supply chain. Some files come from dedicated download sites that look almost like real app stores. Others spread through torrent trackers, warez forums, Telegram channels, Discord communities and file-sharing links posted on SEO-driven "download" pages. The packaging changes, the mirrors change and the hostnames change. The model stays the same. 

The important point is not which site was involved. It is that every re-upload, re-zip and re-pack creates another opportunity to insert a payload. The original crack may be clean, but the version on a mirror site may already tell a different story; the torrent may include an extra installer, the archive posted to a chat channel may have been modified again. There is usually no reliable way for a typical user to tell the difference before running it. 

The installation guide often tells users to defeat macOS security 

This is where the risk becomes very concrete. MacOS includes several protections that are meant to stop exactly this kind of software from running freely. Gatekeeper helps block apps from unidentified developers. Notarization checks software distributed outside the App Store for known malicious content. System Integrity Protection, or SIP, helps prevent changes to critical parts of the system. Permission controls limit what apps can read and modify. And cracked software install guides often tell users to work around those protections step by step. 

Typical instructions often include: 

1. Disable Gatekeeper so unsigned apps can run. 
2. Boot into Recovery Mode and disable SIP. 
3. Launch the crack tool with administrator privileges. 
4. Grant Full Disk Access when prompted. 

This matters because an attacker does not need to discover an advanced exploit if the user has already done the hard part for them. If an unsigned binary gets root privileges and Full Disk Access on a system with weakened protections, it has significantly more room to do real damage. On older Macs, the risk is even worse. When the OS is already behind on security updates, turning off the protections that remain can leave the system exposed for months. 

What actually gets bundled with these downloads 

Unfortunately, these payloads are a bit like a box of chocolates; you never know what you're gonna get. We tried to go through stats to identify some main types of these unwanted payloads. 

• Cryptominers, such as XMRig, aim to use computer resources to mine cryptocurrency. Thus, besides the original app, the Mac will also do a second job in the background, usually resulting in high CPU usage, loud fans and significantly reduced battery life. 
• InfoStealers, on the other hand, are trying to stay under the radar, collect various data on the device and send it to the control server. Usually, they are after saved passwords, cookies, session tokens, wallet data or documents as these can be monetized quickly. Remember that full disk access in step 4? That one made it a whole lot easier. 
• Backdoors are usually trying to stay low and provide persistent access to the computer, be it to deploy further malware or use the computer as a staging point for future actions (e.g., email campaign). On macOS, this usually means LaunchAgents or Launch Daemons that run automatically after rebooting. 
• Adware and Browser Hijackers are less dramatic than previous categories but still annoying, nonetheless. They may redirect your search, inject ads, change browser settings and commit affiliate fraud (e.g., injecting their affiliate links) - as the monetization relies on abuse of (semi-)legitimate internet infrastructure; these are the easiest ways to monetize. To be clear, the point is not that every cracked app is booby-trapped with these payloads. Unfortunately, obtaining cracked software may require you to trust an anonymous supply chain with system-level access to your systems, with limited options to verify what you got. 

The Mac myth still helps to keep this pipeline alive 

A lot of people still carry some version of the old belief that Macs do not really get malware. That idea was always overstated, as this usually relied on Macs being a smaller market for malware authors than the Windows ecosystem. Today, with many threats going multi-platform, this idea is actively dangerous. 

While macOS has its own built-in protections that manage to provide some level of protection, they still rely on the user installing the software from trusted sources and crucially (but unsurprisingly), the user must not turn them off to have any effect. The moment a user starts disabling Gatekeeper, turning off SIP and granting broad permissions to unsigned binaries, the system is left exposed. 

This combination makes cracked software on macOS quite an attractive delivery method. Leading the user to disable their AV is one of the oldest tricks in the book, but this one takes it a step further by implicitly banking on a still-popular myth to avoid raising suspicion. 

Is there a way back? 

1. Re-enable SIP in Recovery Mode: 

csrutil enable 

1. Then re-enable Gatekeeper in Terminal: 

sudo spctl --master-enable 

1. Check common persistence locations. Unfamiliar .plist files or oddly named helper items are worth investigating. 

~/Library/LaunchAgents/ 
/Library/LaunchAgents/ 
/Library/LaunchDaemons/ 
~/Library/Application Support/ 

1. Run a full system scan using e.g., Avast for Mac or Norton Security for Mac. Running it on the Downloads folder might not be enough. 
2. Consider changing important passwords. Start with email, banking, work accounts, cloud storage, and any password manager. This is especially crucial if the full system scan identified malware. 
3. Watch for follow-on activity. Look for login alerts, suspicious financial activity and unusual browser behavior that continue after removing the cracked app. Consider a clean install if the system was compromised for an extended period. The safest approach is a full macOS reinstall from Recovery Mode. Back up personal files (documents, photos — not applications), wipe the drive, reinstall macOS and restore only verified clean data. 

The real price of "free" 

Cracked software might sound attractive because it solves an immediate problem. It saves money. It keeps an old Mac useful for a little longer. It avoids a subscription that people don't want to pay. But the actual deal may look different once you include the hidden terms. Even when the original crack is benign, things may get tangled once you consider distribution, potentially including other middleman in the transaction, with each possibly vying for their share. 

If the goal is simply to get work done, the safer alternatives are boring but real: official older installers when vendors provide them, open-source alternatives, lower-cost one-time-purchase tools, student licensing or used hardware that can still run a supported macOS release. 

Our role: Protection, not judgment 

As a company behind reputable antivirus solutions such as Avast, AVG and Norton, we want to be clear: we don't judge users by the software choices they make. We understand that people might turn to cracked software to solve their problems, be it tight budgets, old hardware that still works or needing an app for a short-term project. We get it. 

Our job is not to be the software police. 

Our job is to protect you from threats that hide in the places where you might be looking for solutions. 

When our detection systems flag a cracked app, it is not because we disapprove of your choice to use it. It is because we found something genuinely malicious bundled with it - a cryptominer, an infostealer, a backdoor or other malware that puts your system and data at risk. 

If we block a cracked app, you can be confident that we detected something nasty lurking inside. Our goal is to let you make informed decisions about the software you install, with full knowledge of what risks come with it. 

Final thought 

The quote that TNT and other groups stamp on cracked software, "Why join the Navy if you can be a pirate?", was about thinking differently. About building something new instead of following the established path. About creativity and independence. Using it to brand cracked software misses the point entirely. The real pirates in this story are usually not the users trying to save money or keep an old Mac useful for a little longer. They are the actors further up the chain: repackagers, mirror operators, uploaders and malware distributors who turned cracked software into a monetization engine. 

That is what makes this ecosystem work so well. The person downloading the app thinks they are taking a shortcut. They might be stepping into a supply chain built to extract value from them, whether that means mining cryptocurrency in the background, stealing credentials, hijacking browser traffic or keeping a foothold on the machine for later. 

Still, the end decision is not ours to make. 

If you make your decision, step with care. 

As you might eventually realize that you did not join the Navy. You did not become a pirate. You just ended up as cargo.