Key Takeaways
- A fake Ledger Live app is replacing the real version on MacOS to steal users' seed phrases.
- Over 2,800 hacked websites are distributing the Atomic macOS Stealer malware.
- Moonlock has tracked at least four phishing campaigns since August 2024 targeting Ledger users.
A fake version of Ledger Live is targeting MacOS users, using advanced malware to silently replace the legitimate application and steal users’ seed phrases.
Malware distribution & operation
The malicious campaign begins when users visit one of over 2,800 hacked websites distributing Atomic macOS Stealer (AMOS).
Once installed, the malware deletes the genuine Ledger Live app and installs a visually identical fake.
The app then displays a warning of “suspicious activity” and prompts the user to enter their 24-word recovery phrase.
According to cybersecurity firm Moonlock, once entered, the phrase is transmitted to an attacker-controlled server.
Cybersecurity insights
“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds,” Moonlock stated in its May 22 report.
Ongoing monitoring & attack variants
Moonlock has been monitoring the campaign since August 2024 and has linked it to at least four active attack operations.
The latest strains, including one called Odyssey, display a fake “critical error” and request the recovery phrase, then show an “App corrupted” message to delay user suspicion.
Broader phishing trends
This is part of a broader trend.
Other attack vectors include phishing links posted in Ledger’s official Discord after a moderator account was compromised, physical letters with malicious QR codes, and Reddit scams—one of which resulted in a $15,000 loss.
Security recommendations
Hardware wallet users are advised never to enter their recovery phrase into any computer or website.
The phrase should only ever be input directly into the hardware wallet device itself.
