Seed Phrase Theft on the Rise Through Ledger Live Clones
Cybercriminals are targeting macOS users with fake versions of the Ledger Live app, designed to steal seed phrases and drain cryptocurrency wallets, according to a cybersecurity report from Moonlock published on May 22.
Once installed, the malicious app replaces the legitimate Ledger Live interface and tricks users into entering their 24-word recovery phrase via a deceptive pop-up. This information is then sent directly to attacker-controlled servers, allowing hackers to instantly access and empty users’ crypto wallets.
Malware Now Extracts Full Wallet Access
Originally, these fake apps could only steal saved passwords, notes, and wallet details—offering hackers limited access to user data. But within just one year, threat actors have evolved their tools to capture seed phrases, giving them full control over crypto assets.
“Now, they can steal seed phrases and drain wallets completely,” Moonlock reported.
Atomic macOS Stealer Behind the Attack
One of the main tools used in this campaign is the Atomic macOS Stealer, a piece of malware designed to steal personal data. It has been found on over 2,800 compromised websites and plays a key role in this attack by installing the fake Ledger Live app and initiating the phishing attempt.
After infection, the fake app displays a warning about suspicious activity and urges the user to “verify” their wallet by entering their recovery phrase—a trap that leads to instant asset theft.
Ongoing Campaign Since August 2024
Moonlock says this malware campaign has been active since August 2024, with at least four distinct attack waves. The attackers are becoming more sophisticated, with discussions on dark web forums suggesting a growing market for “anti-Ledger” malware tools.
While some of the advertised features, such as advanced phishing functionality, weren’t found in the samples analyzed, Moonlock speculates these capabilities may be rolled out in future malware updates.
Crypto Security at Risk as Hackers Evolve
“This is more than a simple crypto theft,” the Moonlock team warned. “It’s a calculated effort to undermine one of the most trusted crypto apps out there.”
They add that hackers are adapting quickly, and new threats targeting Ledger users, crypto wallets, and macOS devices are already in development.
How to Stay Safe from Fake Ledger Apps
To protect against these attacks, users should:
- Avoid entering a seed phrase on any page that appears after a critical error warning.
- Never share the 24-word recovery phrase, regardless of how authentic the request looks.
- Only download Ledger Live from its official website.
Ledger Response Pending
Ledger has not yet issued a statement regarding these attacks.
