Here’s how scammers are targeting Ledger wallet users to steal crypto on macOS

Ledger wallet users are being targeted by a sophisticated phishing campaign involving fake Ledger Live apps on macOS. According to a report from cybersecurity firm Moonlock Lab, attackers are deploying malware that replaces the legitimate Ledger Live application with a lookalike designed to steal users’ 24-word recovery phrases and, in some cases, crypto assets. Once entered, these phrases are transmitted to attacker-controlled servers, enabling them to instantly drain victims’ cryptocurrency wallets. How does it happen? The campaign relies on a variant of the Atomic macOS Stealer, which Moonlock said has been found on over 2,800 compromised websites. Atomic Stealer, also known as AMOS (Atomic macOS Stealer), is a malware strain designed to infect macOS systems and steal sensitive user information. First observed in early 2023, it quickly gained traction on underground forums due to its malware-as-a-service (MaaS) model, where cybercriminals can rent it and deploy attacks without technical expertise. Once a user downloads the malware, it not only collects passwords, notes, and wallet data but also swaps the real Ledger Live app with a clone. The fake app then triggers a deceptive alert about “suspicious activity,” prompting the user to enter their seed phrase to supposedly secure their wallet. Initially, Moonlock noted, the cloned app was used only to steal sensitive user data, but attackers have since “learned to steal seed phrases and empty the wallets of their victims.” Moonlock researchers have tracked at least four ongoing campaigns using this method and warned that these threat actors are “only getting smarter.” Moonlock has been tracking the malware campaign since August and has so far identified at least four active operations targeting Ledger users. Adding to the concern, researchers also found dark web forums increasingly advertising malware with “anti-Ledger” capabilities, though in one case, the advertised phishing features weren’t yet fully operational. These could still be in development or “forthcoming in future updates,” the researchers speculated. “This isn’t just a theft. It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down,” Moonlock researchers said. Other attack vectors targeting Ledger users Over the past year, Ledger users have faced a range of phishing tactics. In one Reddit post from January 2024, a victim described how their computer was silently compromised, leading to $15,000 worth of Bitcoin, Ethereum, Cardano, and Litecoin being stolen after entering their seed phrase into what they believed was a factory reset prompt in Ledger Live. Attackers have also exploited community channels. On May 11, 2025, a moderator account in Ledger’s official Discord server was compromised. The attacker used elevated permissions to mute warnings from legitimate users and deployed a bot that posted links to a phishing site mimicking a Ledger verification page. Meanwhile, in late April, scammers sent physical letters to users impersonating official Ledger communication. These letters included company branding, a reference number, and a QR code directing recipients to enter their seed phrase for a supposed “critical security update.” How to stay safe? Moonlock advised users to avoid entering their 24-word recovery phrase into any app, website, or form, regardless of how legitimate it appeared. Prompts warning of a “critical error” or requesting wallet verification were almost always signs of a scam. The firm also urged users to download Ledger Live exclusively from official sources and warned that no genuine Ledger service would ever ask for a recovery phrase under any circumstances. The post Here’s how scammers are targeting Ledger wallet users to steal crypto on macOS appeared first on Invezz

Source: Invezz