Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124

Cybersecurity firm Moonlock warns of a sophisticated malware campaign targeting macOS users of the Ledger Live cryptocurrency wallet. The malware replaces the legitimate app with a malicious clone, tricking users into revealing their seed phrases. This allows attackers to instantly access and drain victims’ cryptocurrency holdings.
The campaign, active since at least August 2024, involves at least four separate attacks. Initially, attackers used the cloned app to steal passwords and wallet details to assess assets. However, they’ve advanced their techniques to directly steal seed phrases – the master key to cryptocurrency wallets. This significant development highlights the evolving sophistication of these attacks.
Moonlock’s report details how the malware, often delivered via compromised websites (at least 2,800 identified), uses the Atomic macOS Stealer to initially gather data. It then replaces the legitimate Ledger Live application with its malicious counterpart. The fake app displays a deceptive alert, prompting users to enter their 24-word seed phrase. Once entered, this critical information is transmitted to the attacker’s server, granting immediate access to the victim’s cryptocurrency.
The increasing prevalence of this malware is evident in dark web discussions. Threat actors are actively marketing and selling malware with “anti-Ledger” capabilities, demonstrating a growing market for tools designed to exploit the trust placed in Ledger Live. While some advertised features may still be under development, the trend is alarming.
Moonlock emphasizes the severity of these attacks, highlighting that they represent a concerted effort to compromise a widely trusted tool within the cryptocurrency community. The firm stresses the importance of vigilance and cautions against entering seed phrases on any website or sharing them with anyone. Users are advised to download Ledger Live exclusively from the official source and remain wary of any pop-ups claiming critical errors that prompt for recovery phrases. The lack of immediate comment from Ledger underscores the urgency of this threat.