Malware Uses Fake Ledger Live Apps to Steal Seed Phrases on macOS
Highlights:
- Cybercriminals use fake Ledger Live apps to steal crypto seed phrases from MacOS users.
- Over 2,800 websites host malware linked to these attacks.
- Attackers replace the real app to trick users into entering seed phrases.
Fake versions of Ledger Live apps are being used by cybercriminals to gain macOS users’ cryptocurrency seed phrases. As per a recent report, these false wallet apps mimic the original wallet manager, making it possible for many to give their sensitive recovery phrases without knowing.
Advertisement
Since August 2024, the cybersecurity company Moonlock has been following this operation. The firm identified over four active campaigns that used malicious versions of Ledger Live. Cloned apps act like the real app to trick users into typing their 24-word recovery phrase after an error message appears.
Fake Ledger Live app drains users' assets by stealing their seed phrases: Moonlock
Cybercriminals are leveraging a fake Ledger Live app to replace the legitimate one on macOS users’ devices, thereby stealing their seed phrases and draining their crypto assets, Cointelegraph…
— CoinNess Global (@CoinnessGL) May 23, 2025
Malware Replaces Original Ledger App on Compromised Devices
Atomic macOS Stealer, known as AMOS, is the key method that cybercriminals depend on. The malware is hidden inside software downloads and spreads after infecting more than 2,800 websites. After installation, the fake app displays in place of the real Ledger Live app.
This fraudulent page gives users warnings about questionable activity in their wallet. After that, the wallet prompts users to enter their seed phrase again, supposedly to confirm access. Once users follow the steps, their information goes directly to an attacker’s server.
It was also found by security researchers that usernames, web browser data, information on wallets, and system details are captured by the malware. Such details let hackers carry out more effective attacks in the future and design better-looking phishing screens.
New Variants Emerge, Pushing More Advanced Attacks
Several versions of new malware have emerged since March. One example, called Odyssey, copies the Ledger Live app and creates fake phishing pages that seem realistic. It tells users they must recover their wallet after showing a phony “critical error” message. After that, the malware takes the phrase and delivers it to a command-and-control server.
AMOS released a fake app by using a DMG file called “JandiInstaller.dmg” in a similar campaign. This new version got past Gatekeeper and once again used the same phishing technique. Users who entered their seed phrase got a warning saying the app was corrupt, which slowed their ability to suspect anything while their money was being drained.
In addition, researchers at Jamf found a separate campaign providing a PyInstaller-packed binary in a DMG file. A phishing page was shown by opening an iframe within the replicated application. With this configuration, the tool collected seed keys and gathered data from browsers and wallets.
Attackers are using PyInstaller to deploy infostealers on macOS. Jamf Threat Labs investigates this newly discovered technique.
Learn more: https://t.co/XnNxAAlKnO#CyberSecurity #JamfThreatLabs #ITAdmins #macOS
— Jamf (@JamfSoftware) May 12, 2025
Threat Continues Evolving with New Tools and Strategies
Anti-Ledger messages are becoming more common on dark web forums, according to security professionals. Some types of malware promise to provide tools specifically aimed at Ledger users. But, according to investigators, several of these features are still being developed or have not been fully launched.
Despite that, attackers are still making their techniques more advanced. The current set of samples exhibits better-looking user interfaces and more convincing phishing strategies. New groups are copying their approaches and also spreading similar clones.
According to researchers, seed phrases must be provided exclusively for setting up a wallet or restoring it on the physical Ledger device, not through apps or websites. Additionally, Ledger Live should only be downloaded directly from the Ledger official website.
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
Raymond Munene
Raymond Munene is a crypto content writer who contributes to Crypto2Community. With over three years of experience, he is interested in Bitcoin, Blockchain, and Technical Analysis. Focusing on daily market analysis, his research helps traders and investors alike. His particular interest in cryptocurrency and blockchain aids his audience.
View full profile ›ℹ️About Crypto2Community's Editorial Process
Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
