Moonlock Reports New Malware Campaign Targeting Ledger Hardware Wallets
TLDR
Cybercriminals are using fake Ledger Live apps to steal crypto from macOS users by replacing the real app with malicious clones
The malware prompts users to enter their seed phrases through fake security alerts, then sends this data to attacker-controlled servers
Atomic macOS Stealer has been found on at least 2,800 hacked websites and is being used to distribute these fake Ledger apps
Moonlock has tracked at least four active malware campaigns since August targeting Ledger users
Dark web forums show growing chatter about “anti-Ledger” schemes, with threat actors advertising specialized malware tools
Cybercriminals have developed sophisticated malware that replaces legitimate Ledger Live applications on macOS devices to steal cryptocurrency. The fake apps trick users into revealing their seed phrases through convincing security alerts.
Cybersecurity firm Moonlock discovered the malware campaign in a May 22 report. The malicious software completely replaces the real Ledger Live app on victims’ computers. Once installed, it displays fake pop-up messages claiming suspicious activity has been detected on the user’s wallet.
The fake alerts prompt users to enter their 24-word seed phrase for verification. When users comply, the malware immediately sends this sensitive information to servers controlled by the attackers. This gives criminals complete access to drain the victim’s cryptocurrency wallets within seconds.
Moonlock researchers found that attackers initially could only steal passwords and wallet details. However, the criminals have evolved their methods over the past year. They now focus specifically on extracting seed phrases, which provide complete wallet access.
How the Attack Works
The primary delivery method involves Atomic macOS Stealer malware. This software has been discovered on at least 2,800 compromised websites according to Moonlock’s investigation. The stealer first infects the target device through these malicious sites.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake password manager installers.
Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
— Moonlock (@moonlock_com) May 20, 2025
After successful infection, Atomic macOS Stealer collects personal data including passwords and notes. It then locates and removes the legitimate Ledger Live application. The malware replaces it with an identical-looking fake version that contains the malicious code.
The replacement happens seamlessly without alerting the user. Most victims remain unaware that their Ledger Live app has been compromised. The fake app functions normally until it triggers the fraudulent security alert.
Campaign Timeline and Scope
Moonlock has been monitoring this specific malware campaign since August 2024. Researchers have identified at least four separate active campaigns targeting Ledger users. The attacks appear to be increasing in frequency and sophistication.
Dark web forums show growing discussion about “anti-Ledger” schemes among cybercriminals. Threat actors are actively advertising malware tools with specialized features for targeting Ledger hardware wallet users. However, some advertised tools examined by Moonlock lacked the full functionality promised by sellers.
The cybersecurity firm believes these missing features may still be under development. Future updates to the malware could include more advanced anti-Ledger capabilities. This suggests the threat will likely continue evolving.
Prevention and Security Measures
Security experts recommend several steps to avoid these attacks. Users should be suspicious of any message requesting their 24-word recovery phrase. Legitimate services never ask users to enter seed phrases through pop-up alerts or websites.
Download Ledger Live only from official sources to avoid compromised versions. Users should also regularly verify their app installations and be cautious when visiting unfamiliar websites. Any unexpected security alerts should be verified through official Ledger support channels before taking action.
Moonlock’s research shows criminals are specifically targeting the trust users place in Ledger’s reputation. The attacks exploit users’ confidence in the Ledger brand by creating convincing replicas of the official software.
The cybersecurity firm has tracked this campaign for eight months with no signs of it slowing down. Dark web activity suggests more sophisticated attacks targeting Ledger users are being planned for future deployment.
The post Moonlock Reports New Malware Campaign Targeting Ledger Hardware Wallets appeared first on Blockonomi.
Filed under: Bitcoin - @ May 23, 2025 8:25 am