Cybercriminals are using fake versions of the Ledger Live app to steal cryptocurrency from Mac users by tricking them into revealing their seed phrases, as noted by The MacObserver.
According to research by Moonlock Lab and Jamf, these phishing campaigns have grown more sophisticated since August 2024, evolving from basic data theft to full wallet drain operations. Jamf specializes in managing and securing Apple devices at work. Moonlock Lab by MacPaw provides cybersecurity reports, malware analysis, and practical knowledge, shared by its in-house research team.
Since August 2024, Moonlock Lab has been tracking a malware campaign distributing a malicious clone of Ledger Live — a widely used app for managing crypto through Ledger cold wallets. Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds.
Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims. You can read the details and what steps to take by clicking here.
