Hackers Create Malicious Ledger Live Clone Targeting macOS Users

Moonlock has uncovered a malicious campaign targeting Ledger Live users on macOS.

Attackers are replacing the official application with a counterfeit version that harvests seed phrases and drains wallets.

The fake Ledger Live application is delivered via Atomic macOS Stealer, malware that hides on compromised websites. Once infected, the software steals passwords, notes, and wallet information before swapping the legitimate Ledger app with the fraudulent one.

This counterfeit software prompts users with a critical notification regarding «suspicious activity,» urging them to enter their seed phrase. As soon as the user inputs this information, it is sent to the attackers’ servers, enabling them to withdraw the funds instantly.

According to Moonlock, the first wave of attacks began in August 2024. Since then, hackers have refined their techniques: initially, they could only monitor wallet activities, but now they have learned to steal seed phrases.

In the dark web, criminals are marketing malware with «anti-Ledger» features. However, Moonlock’s analysis revealed that some of the promised functionalities (like bypassing security measures) have not yet been implemented. Experts believe these features may be introduced in future updates.

«This is not merely theft; it’s a targeted assault on one of the most secure tools in the crypto industry. The criminals will not back down,» stated a representative from Moonlock.

It’s worth noting that in April, Ledger customers began receiving physical letters bearing the company’s logo, demanding that they verify their addresses by entering their seed phrases.

In May, Ledger regained control over its Discord channel following a hacker attack.