Beware macOS Users: Fake Ledger Live Apps Deploy Crypto-Stealing Malware
Cybercriminals are targeting Mac users with spoofed Ledger Live apps—draining wallets while victims sleep. Here’s how they’re doing it.
The Bait:
Impeccably cloned interfaces trick even savvy traders. No typos, no shaky graphics—just a seamless trap.
The Hook:
Once installed, the malware bypasses 2FA and exfiltrates private keys. Poof—your life savings now fund a scammer’s Lambo.
The Irony:
Banks get bailouts when they’re hacked, but crypto victims? ‘Should’ve used a hardware wallet,’ they’ll say—while ignoring this attack targets exactly that.
Atomic macOS Stealer Emerges as Key Tool in Crypto Theft Campaigns
One of the primary infection vectors is the Atomic macOS Stealer, a tool designed to exfiltrate sensitive data such as passwords, notes, and crypto wallet details.
Moonlock discovered it embedded across at least 2,800 compromised websites.
Once installed, the malware quietly replaces the genuine Ledger Live app with a fake one that triggers fake alerts to harvest seed phrases.
The moment a user enters their 24-word recovery phrase into the phony app, the information is sent to servers controlled by the attacker.
“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase,” Moonlock explained.
“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”
Moonlock has been tracking this type of malware since August, identifying at least four ongoing campaigns.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake password manager installers.
Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
While some dark web vendors claim to offer malware with advanced “anti-Ledger” capabilities, Moonlock found that many of these tools are still under development. That hasn’t slowed the attackers, who continue refining their methods.
“This isn’t just a theft,” Moonlock emphasized. “It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”
To stay safe, users are urged to avoid downloading apps from unofficial sources, be skeptical of sudden pop-ups asking for a seed phrase, and never share their recovery phrase—no matter how authentic the interface looks.
Microsoft Takes Legal Action Against Lumma Stealer Malware
On May 21, Microsoft took legal and technical action to disrupt Lumma Stealer, a notorious malware operation responsible for widespread information theft, including from crypto wallets.
The company revealed that a federal court in Georgia authorized its Digital Crimes Unit to seize or block nearly 2,300 websites linked to Lumma’s infrastructure.
Working alongside the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, Microsoft said it helped dismantle the malware’s command-and-control network and marketplaces where the software was sold to cybercriminals.
Launched in 2022 and continually upgraded, Lumma has been distributed through underground forums and used to harvest passwords, credit card numbers, bank credentials, and digital asset data.
