In a chilling development for crypto users, cybersecurity researchers have uncovered a growing trend of hackers using counterfeit versions of the Ledger Live app to siphon digital assets from unsuspecting victims. The campaign, primarily targeting macOS users, aims to extract sensitive seed phrases through cleverly disguised malware, ultimately giving attackers complete control over victims’ crypto wallets.
Cybersecurity firm Moonlock sounded the alarm in a detailed report published on May 22, outlining how these fraudulent Ledger Live applications are finding their way onto users’ machines and executing sophisticated social engineering attacks. The malware is designed to impersonate the official Ledger Live interface, and once installed, it tricks users into inputting their 24-word recovery phrases via a convincing but malicious pop-up warning about “suspicious activity.”
What makes this malware campaign especially insidious is its evolution. Just a year ago, cloned Ledger apps were mostly confined to basic password theft and harvesting data like notes and wallet names. But today, the criminals behind these scams have significantly upped their game. According to Moonlock, the malware has now been weaponized to steal full seed phrases, allowing attackers to completely drain wallets in a matter of seconds.
How Are These Attacks Carried Out?
One of the primary tools being used in this campaign is the Atomic macOS Stealer—a piece of malware that Moonlock has discovered embedded in at least 2,800 compromised websites. Once a user visits one of these sites and inadvertently downloads the malware, the legitimate Ledger Live app on their device is silently replaced with a fake version. From there, the malicious app mimics a legitimate security alert, urging users to verify their seed phrase to resolve the supposed issue.
Once the seed phrase is entered, it’s transmitted directly to a server controlled by the attackers. That’s all it takes—within moments, the wallet can be wiped clean.
A Long-Running and Evolving Threat
According to Moonlock’s investigation, this malware operation has been active since at least August 2023 and is only becoming more sophisticated. They identified at least four distinct malware distribution campaigns and noted a troubling trend: the dark web is buzzing with chatter about “anti-Ledger” software—malware specifically marketed to exploit Ledger users.
Interestingly, Moonlock pointed out that while many of these tools are being advertised as fully featured, some of them still lack the promised capabilities, suggesting that further enhancements are likely on the way.
“This is more than just theft,” Moonlock wrote in its report. “It’s a coordinated effort to undermine one of the most trusted tools in the cryptocurrency space. And it’s only getting worse.”
How Users Can Protect Themselves
As these cyberattacks grow more refined, the best defense remains vigilance. Moonlock stresses that users should never enter their 24-word seed phrase in response to any pop-up or message, no matter how official it may look. Recovery phrases should be treated like the keys to a vault—only to be stored offline and never shared.
To avoid falling victim, users should ensure they’re downloading the Ledger Live app only from the official Ledger website. They should also be wary of any site, pop-up, or application that demands immediate seed phrase verification due to a “critical error” or “suspicious activity.”
Final Word
As the crypto space continues to grow, so do the efforts of cybercriminals looking to exploit it. Ledger has yet to issue a formal comment on the Moonlock findings, but the message to users is clear: trust is important, but verification is essential. When in doubt, assume it’s a scam—and keep your seed phrase offline.
