Mac users who manage cryptocurrency through Ledger Live are facing a rising wave of malware attacks designed to steal their wallet recovery phrases and empty their accounts.
Cybersecurity experts from Moonlock have uncovered sophisticated fake versions of the Ledger Live app being pushed to unsuspecting users, tricking them into revealing their 24-word seed phrases—the master keys to their crypto assets.
The attack starts when a piece of malware called Atomic macOS Stealer infects a user’s device, often through compromised websites—Moonlock found it on at least 2,800 hacked sites.
This malware quietly swaps out the real Ledger Live application with a counterfeit one.
The fake app then displays convincing alerts, prompting users to enter their recovery phrases to resolve supposed security issues.
Source: Moonlock Lab
Moonlock explained,
“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase. Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”
Moonlock has been tracking these malicious clones since August 2024.
Initially, the fake apps could only capture wallet details and passwords, giving criminals a glimpse of the victim’s holdings but no direct access to move funds.
Over time, attackers have upgraded their tactics to focus on stealing seed phrases, which allows them to take full control and drain wallets.
Moonlock noted,
“This isn’t just a theft. It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”
In March, Moonlock identified a new strain of macOS malware called ‘Odyssey,’ deployed by a hacker known as ‘Rodrigo.’
Odyssey replaced the Ledger Live app with a trojanised version that incorporated a phishing page, asking victims to enter their 24-word seed phrases after showing a fake “critical error” message.
Fake “critical error” message. (Source: Moonlock Lab)
Users being prompted to enter their 24-word seed phrases (Source: Moonlock Lab)
The effectiveness of this method inspired imitators.
Shortly after, the AMOS stealer appeared with similar features, delivering the malware via a DMG file named ‘JandiInstaller.dmg’ that bypassed Apple’s Gatekeeper security.
Victims entering their seed phrase into the AMOS clone would see a deceptive “App corrupted” alert, allowing attackers to quietly extract assets.
Another campaign discovered by Jamf used a different approach, embedding a phishing page via iframe inside a fake Ledger Live interface, targeting browser data and wallet configurations alongside seed phrase theft.
Recovery phrases should never be entered into apps or websites.
They are meant to be kept offline and only used directly on physical Ledger devices when restoring or setting up wallets.
Moonlock urges users to avoid downloading Ledger Live from unofficial sources and to be suspicious of any app or pop-up asking for the seed phrase.
In a related move against crypto malware, Microsoft announced on 21 May it had taken down infrastructure linked to the Lumma Stealer, a malware operation responsible for stealing passwords, banking information, and crypto credentials.
The company worked with international law enforcement to seize nearly 2,300 websites linked to Lumma’s network, disrupting the sale and spread of the malware.
Despite some malware with so-called “anti-Ledger” features being advertised on dark web forums, Moonlock’s research indicates many remain incomplete or in development.
Still, criminal groups continue to refine their tactics, escalating the threat against users relying on Ledger Live.
Moonlock warned:
“On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape. Hackers will continue to exploit the trust crypto owners place in Ledger Live.”
Staying vigilant, only using official Ledger Live downloads, and never sharing seed phrases remain critical to safeguarding crypto assets in this hostile environment.
A token by Real World Gaming DAO and MMA star Conor McGregor raised only $392,000 in its 28-hour presale—far short of its $1 million goal. Critics cited a short unlock window and misleading marketing, calling the tokenomics flawed. The flop may reflect waning interest in celebrity crypto. Did McGregor miss the wave?
CatherineFAT Brands, a publicly traded company, has expanded its payment options by accepting Bitcoin for franchisee royalty fees. The company remains open to incorporating additional digital assets and exploring customer payments in the future.
KikyoJaguar Land Rover paused US car shipments after Trump’s new 25% tariffs, adding pressure to the struggling UK auto industry. At the same time, crypto markets sank, with Bitcoin and altcoins falling sharply as investors reacted to growing global trade tensions.
WeatherlyHong Kong, April 7, 2025 – At the Hong Kong Web3 Festival 2025, a leading global event for blockchain and Web3 innovation, Amit, Chief Technology Officer of Endless Web3 Genesis Cloud, delivered a compelling keynote speech highlighting the transformative capabilities of the Endless —a decentralized intelligent component protocol.
Brian香港,2025年4月7日——在全球区块链与Web3创新领域的顶级盛会——2025香港Web3嘉年华上,Endless Web3创世云的CTO Amit发表了一场精彩的主题演讲,重点介绍了Endless这一去中心化智能组件协议所具备的变革性能力。面对来自行业领袖、开发者及爱好者等多元受众,Amit深入阐述了Endless如何应对Web3普及过程中的关键挑战,进一步巩固了该公司在去中心化技术领域先行者的地位。
BrianTinder has launched The Game Game, a new AI-powered, voice-based feature for US iOS users, aimed at helping users practice flirting and conversation. Powered by OpenAI’s GPT-4o, it reflects Tinder’s push to integrate AI into dating. A global rollout has yet to be announced.
CatherineZachXBT criticised Coinbase for locking him out of his account twice and failing to disclose a data breach that led to thefts. His comments reflect growing frustration with the exchange's lack of transparency and security issues, which have raised concerns within the crypto community.
AnaisTrump’s latest tariffs have rattled global markets, with critics calling them more misguided than his Strategic Bitcoin Reserve plan. In 44 trading days, the tariffs have wiped out over $11 trillion from the US stock market, and the global crypto market has fallen over 11%. Can crypto survive under this administration?
KikyoJustin Sun has accused First Digital Trust (FDT) of stealing $456 million from client funds, claiming the money was moved to a Dubai company without consent or collateral. FDT denies the allegations, calling them malicious, while Sun calls for urgent regulatory action in Hong Kong to address the situation.
AnaisCan AI-driven drones enhance the speed and accuracy of wildfire detection? Dryad Network, a pioneering company in early wildfire detection, aims to do just that with its advanced AI-powered system, the Silvaguard drone.
Catherine