Cybercriminals are using fake Ledger Live apps to drain macOS users’ crypto through malware that steals seed phrases, a cybersecurity firm warns. 

The malware replaces the legitimate Ledger Live app on victims’ devices and then prompts the user to input their seed phrase through a phony pop-up message, a team from Moonlock said in a May 22 report.

“Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds,” the Moonlock team said.

“Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims,” it added. 

One way the scammers replace the real Ledger Live app with a clone is through the Atomic macOS Stealer, designed to steal sensitive data, which Moonlock said it has found lurking on at least 2,800 hacked websites.

Source: Moonlock 

After infecting a device, Atomic macOS steals personal data, passwords, notes and wallet details and replaces the real Ledger Live app with a phony. 

“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase,” the Moonlock team said.

“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”

Malware campaign active since August 

Moonlock has been tracking malware that’s distributing a malicious clone of Ledger Live since August, with at least four active campaigns, and they think hackers are “only getting smarter.” 

Threat actors on the dark web are offering malware with “anti-Ledger” features. However, one of the examples examined by Moonlock did not feature the full anti-Ledger phishing functionality advertised. The firm speculates those features could “still be in development or is forthcoming in future updates.” 

Moonlock says hackers are offering malware for would-be thieves to steal from Ledger users. Source: Moonlock

“This isn’t just a theft. It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down,” Moonlock said. 

“On dark web forums, chatter around anti-Ledger schemes is growing. The next wave is already taking shape. Hackers will continue to exploit the trust crypto owners place in Ledger Live.” 

Related: Ledger secures Discord after hacker bot tried to steal seed phrases

To avoid falling prey to similar malware scams, the cybersecurity firm recommends being wary of any page that warns of a critical error and asks for a 24-word recovery phrase.

At the same time, never share a seed phrase with anyone or input it on any website, no matter how legitimate it looks, and only download Ledger Live from its official source. 

Ledger didn’t immediately respond to Cointelegraph’s request for comment. 

Magazine: ChatGPT a ‘schizophrenia-seeking missile,’ AI scientists prep for 50% deaths