TLDR
- Cybercriminals are using fake Ledger Live apps to steal crypto from macOS s by replacing the real app with malicious clones
- The malware prompts s to enter their seed phrases through fake security alerts, then sends this data to attacker-controlled servers
- Atomic macOS Stealer has been found on at least 2,800 hacked websites and is being used to distribute these fake Ledger apps
- Moonlock has tracked at least four active malware campaigns since August targeting Ledger s
- Dark web forums show growing chatter about “anti-Ledger” schemes, with threat actors advertising specialized malware tools
Cybercriminals have developed sophisticated malware that replaces legitimate Ledger Live applications on macOS devices to steal cryptocurrency. The fake apps trick s into revealing their seed phrases through convincing security alerts.
Cybersecurity firm Moonlock discovered the malware campaign in a May 22 report. The malicious software completely replaces the real Ledger Live app on victims’ computers. Once installed, it displays fake pop-up messages claiming suspicious activity has been detected on the ’s wallet.
The fake alerts prompt s to enter their 24-word seed phrase for verification. When s comply, the malware immediately sends this sensitive information to servers controlled by the attackers. This gives criminals complete access to drain the victim’s cryptocurrency wallets within seconds.
Moonlock researchers found that attackers initially could only steal s and wallet details. However, the criminals have evolved their methods over the past year. They now focus specifically on extracting seed phrases, which provide complete wallet access.
How the Attack Works
The primary delivery method involves Atomic macOS Stealer malware. This software has been discovered on at least 2,800 compromised websites according to Moonlock’s investigation. The stealer first infects the target device through these malicious sites.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake manager installers.
Don’t trust every . Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
— Moonlock (@moonlock_com) May 20, 2025
After successful infection, Atomic macOS Stealer collects personal data including s and notes. It then locates and removes the legitimate Ledger Live application. The malware replaces it with an identical-looking fake version that contains the malicious code.
The replacement happens seamlessly without alerting the . Most victims remain unaware that their Ledger Live app has been compromised. The fake app functions normally until it triggers the fraudulent security alert.
Campaign Timeline and Scope
Moonlock has been monitoring this specific malware campaign since August 2024. Researchers have identified at least four separate active campaigns targeting Ledger s. The attacks appear to be increasing in frequency and sophistication.
Dark web forums show growing discussion about “anti-Ledger” schemes among cybercriminals. Threat actors are actively advertising malware tools with specialized features for targeting Ledger hardware wallet s. However, some d tools examined by Moonlock lacked the full functionality promised by sellers.
The cybersecurity firm believes these missing features may still be under development. Future updates to the malware could include more advanced anti-Ledger capabilities. This suggests the threat will likely continue evolving.
Prevention and Security Measures
Security experts recommend several steps to avoid these attacks. s should be suspicious of any message requesting their 24-word recovery phrase. Legitimate services never ask s to enter seed phrases through pop-up alerts or websites.
Ledger Live only from official sources to avoid compromised versions. s should also regularly their app installations and be cautious when visiting unfamiliar websites. Any unexpected security alerts should be verified through official Ledger channels before taking action.
Moonlock’s research shows criminals are specifically targeting the trust s place in Ledger’s reputation. The attacks exploit s’ confidence in the Ledger brand by creating convincing replicas of the official software.
The cybersecurity firm has tracked this campaign for eight months with no signs of it slowing down. Dark web activity suggests more sophisticated attacks targeting Ledger s are being planned for future deployment.
