Crypto Journalist
Amin Ayan
Crypto Journalist
Amin Ayan
Share
Key Takeaways:
- Hackers are targeting macOS users with fake Ledger Live apps to steal seed phrases and crypto funds.
- Atomic macOS Stealer is the main malware used, found on over 2,800 compromised websites.
- Moonlock warns that attackers are getting more sophisticated, with multiple active campaigns underway.
A wave of malware attacks targeting macOS users is exploiting trust in Ledger Live, a popular crypto wallet management app.
According to cybersecurity firm Moonlock, hackers are distributing fake versions of the app to steal users’ seed phrases and drain their crypto holdings.
In a report published May 22, Moonlock warned that malicious actors are using trojanized clones of Ledger Live to trick users into entering their recovery phrases through convincing pop-ups.
“Within a year, they have learned to steal seed phrases and empty the wallets of their victims,” the team stated, noting a major evolution in the threat.
Atomic macOS Stealer Emerges as Key Tool in Crypto Theft Campaigns
One of the primary infection vectors is the Atomic macOS Stealer, a tool designed to exfiltrate sensitive data such as passwords, notes, and crypto wallet details.
Moonlock discovered it embedded across at least 2,800 compromised websites.
Once installed, the malware quietly replaces the genuine Ledger Live app with a fake one that triggers fake alerts to harvest seed phrases.
The moment a user enters their 24-word recovery phrase into the phony app, the information is sent to servers controlled by the attacker.
“The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase,” Moonlock explained.
“Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”
Moonlock has been tracking this type of malware since August, identifying at least four ongoing campaigns.
While some dark web vendors claim to offer malware with advanced “anti-Ledger” capabilities, Moonlock found that many of these tools are still under development. That hasn’t slowed the attackers, who continue refining their methods.
“This isn’t just a theft,” Moonlock emphasized. “It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”
To stay safe, users are urged to avoid downloading apps from unofficial sources, be skeptical of sudden pop-ups asking for a seed phrase, and never share their recovery phrase—no matter how authentic the interface looks.
Microsoft Takes Legal Action Against Lumma Stealer Malware
On May 21, Microsoft took legal and technical action to disrupt Lumma Stealer, a notorious malware operation responsible for widespread information theft, including from crypto wallets.
The company revealed that a federal court in Georgia authorized its Digital Crimes Unit to seize or block nearly 2,300 websites linked to Lumma’s infrastructure.
Working alongside the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, Microsoft said it helped dismantle the malware’s command-and-control network and marketplaces where the software was sold to cybercriminals.
Launched in 2022 and continually upgraded, Lumma has been distributed through underground forums and used to harvest passwords, credit card numbers, bank credentials, and digital asset data.
