Fake Ledger Live Apps Target macOS Users in Crypto-Stealing Malware Scam

A wave of malware attacks targeting macOS users is exploiting trust in Ledger Live, a popular crypto wallet management app.

According to cybersecurity firm Moonlock, hackers are distributing fake versions of the app to steal users’ seed phrases and drain their crypto holdings.

In a report published May 22, Moonlock warned that malicious actors are using trojanized clones of Ledger Live to trick users into entering their recovery phrases through convincing pop-ups.

“Within a year, they have learned to steal seed phrases and empty the wallets of their victims,” the team stated, noting a major evolution in the threat.

Atomic macOS Stealer Emerges as Key Tool in Crypto Theft Campaigns

One of the primary infection vectors is the Atomic macOS Stealer, a tool designed to exfiltrate sensitive data such as passwords, notes, and crypto wallet details.

Moonlock discovered it embedded across at least 2,800 compromised websites.

Once installed, the malware quietly replaces the genuine Ledger Live app with a fake one that triggers fake alerts to harvest seed phrases.

The moment a user enters their 24-word recovery phrase into the phony app, the information is sent to servers controlled by the attacker.

“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase,” Moonlock explained.

“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”

Moonlock has been tracking this type of malware since August, identifying at least four ongoing campaigns.

Cybercriminals are compromising websites to spread macOS malware again.

This time: Atomic Stealer hidden in fake password manager installers.

Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer

— Moonlock (@moonlock_com) May 20, 2025

While some dark web vendors claim to offer malware with advanced “anti-Ledger” capabilities, Moonlock found that many of these tools are still under development. That hasn’t slowed the attackers, who continue refining their methods.

“This isn’t just a theft,” Moonlock emphasized. “It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”

To stay safe, users are urged to avoid downloading apps from unofficial sources, be skeptical of sudden pop-ups asking for a seed phrase, and never share their recovery phrase—no matter how authentic the interface looks.

“We’re seeing malware campaigns targeting macOS users with fake Ledger Live apps designed to steal seed phrases. These malicious clones create convincing alerts about suspicious activity to trick users into entering their recovery phrases,” Charles Guillemet, CTO at Ledger, said.

“Remember: Ledger will never ask for your 24-word recovery phrase through pop-ups, alerts, or any other method within the app. Always download Ledger Live exclusively from ledger.com, and never enter your seed phrase unless you’re recovering a wallet on a genuine Ledger device.”

Microsoft Takes Legal Action Against Lumma Stealer Malware

On May 21, Microsoft took legal and technical action to disrupt Lumma Stealer, a notorious malware operation responsible for widespread information theft, including from crypto wallets.

The company revealed that a federal court in Georgia authorized its Digital Crimes Unit to seize or block nearly 2,300 websites linked to Lumma’s infrastructure.

Working alongside the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, Microsoft said it helped dismantle the malware’s command-and-control network and marketplaces where the software was sold to cybercriminals.

Launched in 2022 and continually upgraded, Lumma has been distributed through underground forums and used to harvest passwords, credit card numbers, bank credentials, and digital asset data.