Hackers Develop Malicious Ledger Live Clone for macOS

Moonlock has identified a malicious campaign targeting Ledger Live users on macOS.

Cybercriminals replace the official application with a fake one that collects seed phrases and empties wallets.

The counterfeit version of Ledger Live is deployed via Atomic macOS Stealer, malware that lurks on compromised websites. Once infected, the software steals passwords, notes, and wallet data, then substitutes the original Ledger application with the fake one.

The software mimics a critical notification about “suspicious activity” and demands the entry of a seed phrase. As soon as the user inputs the data, it is sent to the criminals’ servers, allowing them to withdraw funds instantly.

According to Moonlock, the first wave of attacks began in August 2024. During this period, hackers have refined their methods: whereas previously they could only monitor wallet activity, they have now learned to steal seed phrases.

In the darknet, criminals advertise the malware with “anti-Ledger” features. However, Moonlock’s analysis revealed that some promised capabilities, such as bypassing security, are not yet implemented. Experts suggest these features may be added in future updates.

“This is not just theft, but a targeted attack on one of the most reliable tools in the crypto industry. The criminals will not stop,” Moonlock stated.

In April, Ledger customers began receiving physical letters with the company’s logo, demanding address verification through seed phrase entry.

In May, Ledger regained control over its Discord channel following a hacker attack.