Malware Uses Fake Ledger Live Apps to Steal Seed Phrases on macOS

Highlights:

• Cybercriminals use fake Ledger Live apps to steal crypto seed phrases from MacOS users.
• Over 2,800 websites host malware linked to these attacks.
• Attackers replace the real app to trick users into entering seed phrases.

Fake versions of Ledger Live apps are being used by cybercriminals to gain macOS users’ cryptocurrency seed phrases. As per a recent report, these false wallet apps mimic the original wallet manager, making it possible for many to give their sensitive recovery phrases without knowing.

Since August 2024, the cybersecurity company Moonlock has been following this operation. The firm identified over four active campaigns that used malicious versions of Ledger Live. Cloned apps act like the real app to trick users into typing their 24-word recovery phrase after an error message appears.

Fake Ledger Live app drains users' assets by stealing their seed phrases: Moonlock

Cybercriminals are leveraging a fake Ledger Live app to replace the legitimate one on macOS users’ devices, thereby stealing their seed phrases and draining their crypto assets, Cointelegraph…

— CoinNess Global (@CoinnessGL) May 23, 2025

Malware Replaces Original Ledger App on Compromised Devices

Atomic macOS Stealer, known as AMOS, is the key method that cybercriminals depend on. The malware is hidden inside software downloads and spreads after infecting more than 2,800 websites. After installation, the fake app displays in place of the real Ledger Live app.

This fraudulent page gives users warnings about questionable activity in their wallet. After that, the wallet prompts users to enter their seed phrase again, supposedly to confirm access. Once users follow the steps, their information goes directly to an attacker’s server.

It was also found by security researchers that usernames, web browser data, information on wallets, and system details are captured by the malware. Such details let hackers carry out more effective attacks in the future and design better-looking phishing screens.

New Variants Emerge, Pushing More Advanced Attacks

Several versions of new malware have emerged since March. One example, called Odyssey, copies the Ledger Live app and creates fake phishing pages that seem realistic. It tells users they must recover their wallet after showing a phony “critical error” message. After that, the malware takes the phrase and delivers it to a command-and-control server.

AMOS released a fake app by using a DMG file called “JandiInstaller.dmg” in a similar campaign. This new version got past Gatekeeper and once again used the same phishing technique. Users who entered their seed phrase got a warning saying the app was corrupt, which slowed their ability to suspect anything while their money was being drained.

In addition, researchers at Jamf found a separate campaign providing a PyInstaller-packed binary in a DMG file. A phishing page was shown by opening an iframe within the replicated application. With this configuration, the tool collected seed keys and gathered data from browsers and wallets.

Attackers are using PyInstaller to deploy infostealers on macOS. Jamf Threat Labs investigates this newly discovered technique.

Learn more: https://t.co/XnNxAAlKnO#CyberSecurity #JamfThreatLabs #ITAdmins #macOS

— Jamf (@JamfSoftware) May 12, 2025

Threat Continues Evolving with New Tools and Strategies

Anti-Ledger messages are becoming more common on dark web forums, according to security professionals. Some types of malware promise to provide tools specifically aimed at Ledger users. But, according to investigators, several of these features are still being developed or have not been fully launched.

Despite that, attackers are still making their techniques more advanced. The current set of samples exhibits better-looking user interfaces and more convincing phishing strategies. New groups are copying their approaches and also spreading similar clones.

According to researchers, seed phrases must be provided exclusively for setting up a wallet or restoring it on the physical Ledger device, not through apps or websites. Additionally, Ledger Live should only be downloaded directly from the Ledger official website.