Fake Ledger Live apps scam macOS users with crypto-stealing malware

A surge of malware assaults aimed at macOS users is taking advantage of the confidence placed in Ledger Live, a widely-used application for managing crypto wallets.

The cybersecurity firm Moonlock warned that hackers are spreading counterfeit apps to harvest seed phrases and rob users of their cryptocurrency holdings.

According to a report released on May 22, Moonlock stated that threat actors use trojanized versions of Ledger Live, employing convincing pop-ups to extract users’ recovery phrases.

“Within a year, they have learned to steal seed phrases and empty the wallets of their victims,” the team stated, noting a major evolution in the threat.

A major infection vector is the Atomic macOS Stealer, a program engineered to capture sensitive information, including passwords, notes, and cryptocurrency wallet credentials.

The cybersecurity firm Moonlock identified the tool on a minimum of 2,800 infected websites.

Upon installation, the malicious software covertly replaces the legitimate Ledger Live app with a fake version designed to prompt fake notifications that collect seed phrases.

As soon as a user inputs their 24-word recovery phrase into the fake app, the hackers receive the data on their servers.

“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase,” Moonlock explained.

“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”

Since August, Moonlock has tracked malware spreading a malicious Ledger Live clone, identified no fewer than four active campaigns, and believes hackers are “only getting smarter.”

Dark web vendors promise malware equipped with sophisticated “anti-Ledger” capabilities, but Moonlock noted that developers are still working on many tools. However, attackers continue evolving their tactics.

“This isn’t just a theft,” Moonlock emphasized. “It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”

Users should only obtain apps through official channels, stay cautious about unexpected seed phrase pop-ups, and never provide their recovery phrase regardless of how trustworthy the interface appears.

On May 21, Microsoft acted both legally and technically to disrupt the Lumma Stealer operation, which hackers linked to widespread theft of sensitive information, including from cryptocurrency wallets.

The company announced that a federal court in Georgia granted its Digital Crimes Unit permission to seize or shut down close to 2,300 websites associated with Lumma’s network.

Microsoft confirmed that, together with the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, its teams dismantled both the malware’s command infrastructure and the marketplaces where cybercriminals purchased the software.

First released in 2022 and consistently improved, hackers distribute Lumma through illicit forums where they gather passwords, credit card details, bank account credentials, and cryptocurrency data.