A new wave of crypto-related cybercrime is targeting macOS users through counterfeit Ledger Live apps, according to a recent report by cybersecurity firm Moonlock. These malicious applications are cleverly designed to mimic the real Ledger Live software but are laced with malware that tricks users into giving away their most sensitive information: their 24-word recovery seed phrases.
Moonlock’s investigation, published on May 22, reveals that the attackers have developed increasingly sophisticated tactics over the past year. Initially, these fake apps were only capable of harvesting passwords, private notes, and wallet details — essentially building a profile of the user’s digital assets. But the stakes have now escalated. The latest malware iterations are engineered specifically to steal seed phrases, giving cybercriminals full access to victims’ crypto holdings.
“Within just a year, these bad actors have evolved from passive observers to active thieves,” the Moonlock team reported. “Now, they’re able to wipe out entire wallets with just a few keystrokes from unsuspecting users.”
One of the key distribution methods involves a malware variant known as Atomic macOS Stealer, which has already been detected on more than 2,800 compromised websites. Once a user downloads this malware — often disguised as legitimate software — it silently replaces the authentic Ledger Live application with a nearly identical clone.
The real danger starts when this fake app springs a fraudulent warning message on the user, claiming there’s been “suspicious activity.” The user is then prompted to enter their 24-word recovery phrase, supposedly to secure their wallet. Instead, the seed phrase is immediately transmitted to a server controlled by the attackers, leaving the user’s crypto assets exposed and vulnerable to theft within seconds.
Moonlock has been tracking this malware campaign since August and has identified at least four active variants in circulation. What’s more troubling is that this trend shows no signs of slowing down. On dark web forums, Moonlock analysts are seeing an uptick in discussions around “anti-Ledger” tactics. In fact, some malware listings promise features specifically designed to target Ledger users — although not all of them are fully operational yet. Moonlock suspects these missing features are either under development or will be released in future versions.
“This isn’t just a one-off hack. It’s a full-scale, calculated attempt to undermine one of the most trusted brands in crypto security,” the report warns. “And based on the chatter we’re seeing on the dark web, the next generation of attacks is already taking shape.”
The firm urges all Ledger users to take extra precautions. Never enter your recovery seed phrase into a pop-up or website — even if it looks official. Recovery phrases should only ever be used offline, and Ledger Live should be downloaded exclusively from Ledger’s official website.
Moonlock also advises users to be skeptical of any software that warns of urgent errors and asks for your seed phrase as a “fix.” This is a hallmark tactic of phishing attempts.
As of now, Ledger has not issued an official statement regarding these findings. But with hackers becoming more advanced and persistent, the onus is on crypto holders to stay alert, stay informed, and never compromise on security.
