TLDR
- Hackers are using fake Ledger Live apps to steal cryptocurrency by tricking users into entering their seed phrases through fake security alerts
- The malware campaign has been active since August 2024, with at least four different groups targeting macOS users
- Attackers replace legitimate Ledger Live apps with clones that display fake “critical error” messages requesting 24-word recovery phrases
- Dark web forums show growing interest in “anti-Ledger” malware, with threat actors sharing techniques to bypass Ledger’s security
- Cybersecurity firm Moonlock found the malware on over 2,800 compromised websites, warning that hackers are becoming more sophisticated
Cybercriminals are launching sophisticated attacks against cryptocurrency users by creating fake versions of Ledger Live, the popular app used to manage crypto through Ledger hardware wallets. The malware campaign has been active since August 2024 and targets macOS users specifically.
The attack works by replacing the legitimate Ledger Live app on victims’ computers with a malicious clone. Once installed, the fake app displays convincing security alerts that warn users about suspicious activity on their accounts.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake password manager installers.
Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
— Moonlock (@moonlock_com) May 20, 2025
These fake alerts prompt users to enter their 24-word seed phrase, which is the master key that controls access to their cryptocurrency wallets. When users comply, the seed phrase is immediately sent to servers controlled by the attackers.
Cybersecurity firm Moonlock has been tracking this campaign and reports that attackers have evolved their methods over the past year. Initially, the fake apps could only steal passwords and wallet details without accessing the actual funds.
Evolution of the Attack Methods
The turning point came with a threat actor known as Rodrigo, who introduced advanced phishing capabilities in March 2025. His malware, called Odyssey, can bypass Ledger Live’s security defenses with sophisticated fake error messages.
The Odyssey malware retrieves the victim’s username and creates personalized phishing pages. These pages display a “critical error” message claiming that users must enter their seed phrase to fix security issues.
Other malware families have adopted similar techniques. The Atomic macOS Stealer (AMOS) now includes anti-Ledger features and has been found on at least 2,800 compromised websites according to Moonlock’s research.
How the Malware Spreads
The fake Ledger Live apps are distributed through various methods. Some attackers use malicious DMG files disguised as legitimate software downloads. Others replace the real app after infecting a device with initial malware.
One campaign uses a file called JandiInstaller.dmg that tricks users into executing shell scripts through fake Terminal applications. The malware includes virtual machine detection to avoid security researchers’ analysis tools.
After infection, the malware collects sensitive data including browser credentials, Apple Notes, and wallet configuration files. It then removes the legitimate Ledger Live app and installs the fake version in its place.
Dark Web Activity Increases
Threat actors on dark web forums are actively advertising malware with “anti-Ledger” capabilities. However, analysis by Moonlock shows that some advertised features are still in development or not fully functional.
One threat actor called @mentalpositive recently advertised updated malware that claims to include anti-Ledger features while reducing file size for better stealth. Analysis of samples shows the malware contains references to Ledger Live folders but lacks full phishing functionality.
The malware samples examined by researchers show attempts to hide author identities. One sample replaced a Slavic name “JENYA” with “SHELLS” in newer versions, suggesting efforts to obscure origins.
Multiple research teams have documented these campaigns. Jamf Threat Labs published research on a macOS infostealer campaign targeting Ledger Live users, though the malicious files were uploaded to security databases months before the public report.
Protection Methods
Security experts recommend several steps to avoid these attacks. Users should be suspicious of any message claiming critical errors and requesting seed phrases. Legitimate services never ask users to enter seed phrases through pop-up messages or websites.
Users should only download Ledger Live from official sources and never share seed phrases with anyone. The 24-word recovery phrase should only be used during the initial wallet setup or legitimate recovery processes performed offline.
The campaign represents a direct challenge to hardware wallet security, which is designed to keep seed phrases secure from typical malware. The elaborate phishing schemes show that attackers cannot directly access Ledger’s security features without tricking users first.
Moonlock reports that four active campaigns are currently targeting Ledger Live users, with attackers continuing to develop new techniques. The security firm warns that chatter around anti-Ledger schemes is growing on dark web forums, with more sophisticated attacks expected.
Stay Ahead of the Market with Benzinga Pro!
Want to trade like a pro? Benzinga Pro gives you the edge you need in today's fast-paced markets. Get real-time news, exclusive insights, and powerful tools trusted by professional traders:
- Breaking market-moving stories before they hit mainstream media
- Live audio squawk for hands-free market updates
- Advanced stock scanner to spot promising trades
- Expert trade ideas and on-demand support
