Cybercriminals are ramping up attacks on macOS users by deploying fake versions of the Ledger Live app, according to a new report from cybersecurity firm Moonlock. These counterfeit applications are designed to steal users’ seed phrases—the critical recovery credentials for accessing crypto wallets—through sophisticated phishing tactics.
The report, published on May 22, details how attackers leverage the Atomic macOS Stealer to infect devices and swap out the real Ledger Live app for a near-identical clone. Once installed, the malicious app displays a fake pop-up warning users of suspicious activity and prompts them to re-enter their 24-word recovery phrase. That input is instantly transmitted to servers operated by the attacker.
“Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds,” Moonlock researchers explained.
“Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims.”
The firm identified Atomic macOS Stealer across more than 2,800 compromised websites, highlighting the campaign’s scale. While many malware variants on the dark web advertise anti-Ledger capabilities, Moonlock notes that some fail to deliver—but still pose major security risks.
Ledger has consistently warned users that it will never ask for their seed phrase and stresses that the Ledger Live app should only be downloaded from the company’s official website. The rise in fake applications underscores the need for vigilance and verification when handling digital assets.
Ongoing Ledger Scam Campaigns Grow More Sophisticated
The malicious campaigns targeting Ledger users have now been active for nearly a year. According to Moonlock, at least four coordinated attacks have been observed since August, with evolving tactics and intensifying discussions in underground cybercrime forums.
Some threat actors are promoting malware claiming to exploit Ledger-specific vulnerabilities. While not all of these tools work as advertised, Moonlock warns that more advanced versions are likely in development.
“This isn’t just a case of petty theft,” the firm said. “It’s an escalating arms race against one of the most recognized security tools in the crypto industry. And the attackers are getting smarter.”
Moonlock recommends extreme caution when encountering any software requesting seed phrases, especially if accompanied by system error messages. These types of pop-ups are a hallmark of phishing attacks.
Users should avoid inputting seed phrases anywhere online, no matter how legitimate the interface appears. All downloads of Ledger Live must be made through the official Ledger website to ensure authenticity.
While Ledger has not issued a statement on this latest wave of attacks, the company has dealt with similar incidents before—including a high-profile Discord breach where scammers impersonated support agents.
Quick Facts
- Fake Ledger Live apps are targeting macOS users through malware called Atomic macOS Stealer.
- Victims are tricked into entering their 24-word seed phrase via fake security pop-ups.
- Over 2,800 websites have been found hosting the malware, according to Moonlock.
- Dark web chatter suggests more advanced anti-Ledger malware is under development.
- Users should only download Ledger Live from the official website and never share their seed phrase online.
