Cybercriminals are distributing malicious clones of Ledger Live software to steal cryptocurrency wallet recovery phrases from macOS users, according to a Cointelegraph report. Security firm Moonlock discovered four active campaigns using advanced malware to replace legitimate apps with phishing tools capable of draining digital assets.
The fake apps display fabricated security alerts prompting users to enter their 24-word seed phrases, which attackers then use to access wallets. This marks an escalation from previous versions that only harvested passwords and wallet metadata without direct fund access.
Moonlock researchers identified the Atomic macOS Stealer as the primary infection vector, found on 2,800 compromised websites. The malware performs comprehensive system scans to locate and replace cryptocurrency management tools.
Get breakout alerts
Install Coin Push to get profitable crypto trading notifications.
How the Ledger Live Impersonation Works
The attack chain begins when users download what appears to be Ledger Live updates from third-party sources. Once installed, the malware:
- Replaces legitimate app files with modified versions
- Injects phishing pages into the application interface
- Displays fake “suspicious activity” alerts requiring seed phrase verification
- Transmits stolen credentials to attacker-controlled servers
Unlike previous iterations that simply monitored wallet balances, this upgraded malware enables immediate fund liquidation. Security analysts confirm drained wallets within minutes of seed phrase submission.
Ledger’s Security Response
The hardware wallet manufacturer emphasized that its official software never requests seed phrases through pop-ups. Ledger CISO Charles Guillemet told Cointelegraph: “Users should only download Ledger Live from our verified domain and enable two-factor authentication for all transactions.”
The company has implemented enhanced code-signing verification in its latest update (v2.85.1) to detect tampered applications. Ledger also partnered with Apple to remove malicious clones from non-App Store distribution channels.
Moonlock’s Cybersecurity Findings
Moonlock Labs tracked these campaigns since August 2024, observing three key evolution stages:
| Phase | Capability | Impact |
|---|---|---|
| Initial (2024) | Password/note theft | Reconnaissance only |
| Intermediate (2025 Q1) | Wallet metadata collection | Targeted phishing |
| Current (2025 Q2) | Seed phrase interception | Direct asset theft |
The security firm recommends macOS users employ system integrity protection tools and verify application checksums before installation.
Install Coin Push mobile app to get profitable crypto alerts. Coin Push sends timely notifications – so you don’t miss any major market movements.
This sophisticated attack highlights growing security challenges in decentralized finance ecosystems. As hardware wallet adoption increases, expect more threat actors to target the interface between cold storage and management software. The incident may accelerate development of biometric authentication solutions and decentralized app verification protocols.
- Seed Phrase
- A 12-24 word combination serving as master password for cryptocurrency wallets, allowing recovery of digital assets on any compatible device.
- Atomic macOS Stealer
- Malware targeting Apple computers that extracts passwords, files, and crypto wallet data while replacing legitimate apps with malicious clones.
- Cold Storage
- Offline cryptocurrency storage method using hardware devices like Ledger wallets to protect assets from online threats.
