Cyberattacks on Ledger users on the rise: How fake apps and seed theft are undermining trust in crypto wallets and what to do to protect yourself

Hackers Use Fake Ledger Live App to Steal Cryptocurrency: Detailed Analysis of the Incident

In 2025, cybercriminals stepped up attacks on Ledger cryptocurrency wallet users by distributing fake versions of the Ledger Live app. This malware targets macOS device owners and allows attackers to steal so-called “seed phrases” — the key to accessing all funds in the wallet. This article details the mechanics of the attacks, the malware used, the scale of the campaign, and recommendations for protection.

How the attack works: application substitution and data theft

Mechanism of infection

Distribution of malware
The main tool used by the attackers is the Atomic macOS Stealer (AMOS) malware, which has been found on more than 2,800 hacked websites 1 2 3 .
Distribution occurs through phishing sites, fake download portals, malicious ads, and hacked software repositories 4 .
Replacing the Legitimate App
Once the device is infected, AMOS steals personal data, passwords, notes, and crypto wallet data. It then deletes the real Ledger Live app and installs a fake clone in its place 2 3 .
Phishing window
The fake app displays a convincing pop-up message about supposedly suspicious activity or a critical error and asks the user to enter a 24-word recovery phrase 5 2 3 .
Transferring data to attackers
The initial phrase entered by the user is instantly sent to a server controlled by hackers. This allows them to gain full access to the user’s assets in a matter of seconds and withdraw all funds 2 3 .

Evolution of attacks: from information gathering to complete control

Initially, malicious Ledger Live clones could only collect passwords, notes, and wallet data to assess its contents. However, the attackers did not have access to funds 5 2 .
Since 2024, hackers have learned to collect seed phrases, which allowed them to completely empty their victims’ wallets. Over the year, the scale and sophistication of attacks has increased significantly 6 2 3 .

The scale and features of the campaign

At least four active campaigns According to Moonlock, there have been at least four active malware campaigns targeting Ledger Live 6 7 3
users since August 2024 .
Constant development of tools
Malware with “anti-Ledger” features is sold on the darknet, promising to bypass the original app’s security mechanisms. However, some of the claimed features are still in development or testing 5 6 3 .
Increase in Discussion on Darknet Forums
Moonlock marks a surge in discussions of Ledger Live attack schemes, indicating that a new wave of attackers is forming 6 3 .

Technical details of the malware

Atomic macOS Stealer (AMOS)
This is a malicious program that can steal not only seed phrases, but also passwords, notes, browser data and crypto wallets. It is distributed through hacked sites, as well as under the guise of legitimate software 1 4 3 .
Social engineering technique
The fake app is visually indistinguishable from the real one and uses psychological techniques – for example, it scares the user with a “critical error” or “suspicious activity” to force them to enter the initial phrase 5 2 3 .

Recommendations for protection

Download Ledger Live only from the official website
Never use third-party sources to download the application 5 2 3 .
Never enter your seed phrase on the website or in the app
You should only enter your seed phrase on a physical Ledger device and only when restoring access to your wallet. The official app never asks for your seed phrase during normal operation 5 3 .
Ignore any pop-ups that ask you to enter your recovery phrase.
Any such message is a sign of a scam.
Be wary of any emails, websites, or apps that appear to be related to Ledger.
Do not click on suspicious links or open attachments from unknown senders.

How exactly do attackers replace the legitimate Ledger Live app on macOS?

Ledger Live fake app attacks are one of the most dangerous threats to cryptocurrency wallet owners. Hackers are improving their tools and methods, using social engineering and technical tricks to bypass defenses. It is extremely important to practice good digital hygiene, not trust pop-up messages, and always use official sources to download software. Remember: your seed phrase is the key to all your assets, and its leakage leads to a complete loss of funds 5 2 3 .

Attackers are replacing the legitimate Ledger Live app on macOS with malware called Atomic macOS Stealer (AMOS) . This malware is distributed through hacked websites and performs several key actions once a device is infected:

Identity theft: The software steals passwords, notes, crypto wallet data and other sensitive information from the victim’s device.
Removing the original app: The malware then removes or replaces the official Ledger Live app.
Installing a fake clone: A virtually identical fake clone is installed in place of the legitimate Ledger Live, which visually and functionally imitates the original.
Social Engineering: The fake app displays a convincing pop-up warning of “suspicious activity” or a “critical error” and prompts the user to enter a 24-word recovery seed phrase.
Data transfer to attackers: The phrase entered by the user is instantly sent to servers controlled by hackers, which allows them to gain full access to crypto assets and withdraw funds.

Thus, the substitution occurs through the hidden installation of malware, which replaces the original Ledger Live with a malicious clone in order to deceive the user and steal key data to access the wallet 1 2 3 6 7 .

What methods do cybercriminals use to convince users to enter a seed phrase?

Cybercriminals use several key social engineering and psychological manipulation techniques to convince users to enter their seed phrase into fake apps or phishing sites:

Create a sense of urgency and fear
The fake Ledger Live app or malware displays convincing warnings about “suspicious activity,” a “critical error,” or a threat to account security. This causes the user to panic and quickly enter their seed phrase to “save” their funds [from the original description].
Imitation of the official interface
Attackers create clones of Ledger Live that are visually and functionally almost indistinguishable from the real application. This reduces suspicion and increases the user’s trust in the request to enter a phrase [from the original description].
Fraud with fake notifications
The user is shown pop-up windows asking to confirm or enter a seed phrase supposedly to restore access or fix technical problems. Such messages look like official system warnings, which misleads even experienced users [from the original description].
Using psychological social engineering techniques
Fraudsters can encourage you to enter your seed phrase using deception, promises of rewards (e.g. airdrop, free tokens), threats of account blocking or loss of funds, and creating the illusion of trust through fake reviews and recommendations 6 9 .
Manipulation via messengers and social networks
Attackers actively search for victims in messengers and social networks, offering help, support or luring them to phishing resources, where the user can be convinced to enter a seed phrase 6 9 .
Lack of user awareness about seed phrase security
Many users are unaware that seed phrases should never be entered into apps or websites except directly into the hardware wallet. This lack of awareness makes it easier for scammers to convince victims to reveal this information 5 7 .

Thus, the main methods of persuasion are creating the illusion of formality and urgency, using fake interfaces and psychological pressure, which leads to the user voluntarily entering their seed phrase, transferring full control over the cryptocurrency to the attackers.

Why stealth malware like Atomic macOS Stealer is becoming more effective

Malware like Atomic macOS Stealer (AMOS) is becoming increasingly effective for a number of reasons related to technical advancements, distribution methods, and the use of built-in macOS capabilities:

Regular updates and functionality improvements
The developers of Atomic Stealer constantly update the software, introducing new features and methods of bypassing protection. For example, at the end of 2023, payload encryption was added, which helps the malware hide from antiviruses and threat detection systems 1 .
Using built-in macOS tools like AppleScript
Attackers exploit AppleScript, a built-in macOS scripting language that allows you to run commands and create fake system dialogs without the need for elevated privileges. This makes it easier to disguise malicious actions as legitimate system requests, significantly increasing the chances of a successful attack 5 6 .
Distribution via malvertising and hacked websites
Atomic Stealer and similar stealers are actively distributed via fraudulent advertising, fake browser updates and compromised web resources, which ensures a wide coverage of potential victims 1 5 9 .
Atomic Stealer’s mass commercial Malware-as-a-Service (MaaS) model
is sold on a subscription basis (e.g. $3,000 per month), which encourages ongoing development and support of the malware and allows more attackers to use it for attacks 1 5 .
Bypassing macOS’s Built-in Protections
Modern malware variants, including Banshee and Atomic Stealer, have learned to bypass Apple antivirus tools like XProtect by using similar encryption and code download methods, making them difficult to detect 2 .
Collecting a wide range of sensitive data
In addition to stealing seed phrases, these programs steal passwords from browsers, cryptocurrency wallet data, two-factor authentication tokens, notes, and system passwords, which makes them especially dangerous and effective 1 2 5 .
Use of social engineering techniques
The malware is accompanied by convincing phishing windows and messages that force the user to voluntarily enter sensitive data, including seed phrases 10 .
Attacks Rise and Code Improvements with AI
In 2024, there will be a trend towards using artificial intelligence to create and improve malicious code, increasing its quality, adaptability, and effectiveness 7 .

Thus, the effectiveness of Atomic macOS Stealer and similar malware is due to a combination of technical innovations, the use of built-in macOS system mechanisms, advanced methods of bypassing protection, large-scale distribution and psychological pressure on users.

What precautions can help protect crypto assets from such attacks?

To protect your crypto assets from attacks using fake apps and malware, such as Atomic macOS Stealer, it is recommended to follow a set of security measures:

Download Ledger Live and other crypto wallets only from official websites
Never use third-party sources or links from emails and messages – this will reduce the risk of installing a fake application [from the original description].
Never enter your seed phrase in apps or on websites
Your seed phrase should only be stored offline and entered on your Ledger hardware wallet. Seeking to enter your seed phrase in an app or pop-up is a sign of a scam [from the original description].
Use multi-factor authentication (2FA/MFA)
Enable two-factor authentication to access exchanges and wallets – this will make it much more difficult for attackers to access your funds even if your password is compromised 2 6 .
Store private keys and seeds offline
Use hardware wallets and store backup copies of seeds in secure physical locations that are inaccessible to online attacks 3 4 5 .
Update your software regularly
Updates provide protection against known vulnerabilities and exploits that hackers can use 5 .
Use a VPN when trading cryptocurrency online
A VPN protects against man-in-the-middle (MITM) attacks, encrypts your traffic, and hides your activity from attackers and ISPs 2 6 .
Be careful of suspicious messages and links
Do not click on unknown links, do not open attachments, and do not enter data on suspicious sites. Check URLs and SSL certificates 8 9 .
Split funds between multiple wallets
This reduces the risk of losing all assets if one of your wallets is hacked 4 5 .
Use multisig wallets
Transactions require multiple keys, which greatly increases security 5 .
Monitor wallet activity
Use monitoring services that notify you of suspicious transactions to quickly respond to potential hacks 3 .
Educate yourself and stay updated on new threats
Staying aware of new attack methods and scams will help you avoid social engineering pitfalls 7 10 .

Following these steps will significantly reduce the risk of cryptocurrency theft and keep your assets safe.

How the rise of seed theft campaigns is affecting trust in Ledger and other crypto wallets

The rise of seed theft campaigns has had a significant impact on user trust in Ledger and other crypto wallets, despite hardware wallets themselves remaining some of the safest ways to store cryptocurrency.

Undermining trust through attacks on communication channels and fake updates
Cybercriminals use sophisticated phishing campaigns, such as hacks of mass mailing services (Mailchimp, SendGrid), to distribute fake emails that appear to be official notifications from Ledger. These emails contain links to fake websites asking for a seed phrase under the guise of a firmware update or security check. This exploits users’ trust in official channels and reduces confidence in the security of Ledger as a brand 1 .
Increase in successful attacks and financial losses Active campaigns using fake Ledger Live apps, such as Atomic macOS Stealer, are causing significant user losses. Reports of seed thefts and wallet empties are raising concerns among the community and raising doubts about the reliability of the ecosystem, even if the vulnerabilities are due to human factors and not to the Ledger 5
hardware .
Impact on Perception of Hardware Wallets Security
Ledger and other hardware wallet makers emphasize that their devices reliably protect private keys and seeds when used correctly. However, user error—entering seeds in untrusted apps or on phishing sites—remains the leading cause of leaks. This creates a paradox: the technology is secure, but trust is undermined by attacks on users 2 6 .
Transparency and Security Initiatives
Ledger is actively working to improve the user experience and implement technologies such as transparent transaction signing to minimize human error and increase user understanding of their actions. This helps restore trust by showing that the company is not only producing secure devices, but also educating users on secure practices 2 .
Overall Impact on the Cryptocurrency Market
Large-scale phishing campaigns and account hacks are impacting the overall perception of cryptocurrencies, causing fear among new users and investors. This is forcing companies and communities to increase security measures and raise awareness to maintain trust and drive sustainable growth in the industry 3 .

Ultimately, while Ledger and similar hardware wallets remain technically secure, the rise of seed theft campaigns is eroding user trust, highlighting the importance of a comprehensive approach to security that includes both technology solutions and user education and awareness.

Summary and conclusion

Modern cybercriminals are increasingly using sophisticated methods to steal crypto assets, primarily through spoofing the official Ledger Live app and introducing malware such as the Atomic macOS Stealer. These attacks target macOS users and rely on replacing the legitimate app with a clone that tricks the victim into entering their seed phrase. Once the attackers have this key element, they gain complete control over the crypto wallet and can instantly withdraw all funds.

The growth of such campaigns demonstrates the constant development and sophistication of malware, which improves its methods of bypassing security systems, uses built-in operating system tools, and actively spreads through hacked sites and phishing emails. Malware is increasingly accompanied by convincing social engineering techniques that create a sense of urgency and trust in the user, which significantly increases the likelihood of a successful attack.

These threats seriously affect the credibility of Ledger and other hardware crypto wallets. Although the devices themselves remain some of the most reliable means of storing cryptocurrency, user errors and vulnerabilities in communication channels undermine the reputation and cause concern in the community. It is important to understand that cryptocurrency security is not only about protecting technical means, but also about competent user behavior, risk awareness, and compliance with security recommendations.

To minimize risks, it is necessary to strictly adhere to a number of precautions: download software only from official sources, never enter a seed phrase outside of a hardware wallet, use multi-factor authentication, store private keys offline, and regularly update software. Educating users and improving their digital hygiene play a key role in the fight against fraud.

Ultimately, only a comprehensive approach that combines technical innovation, continuous improvement of security mechanisms, and active user education will help maintain trust in cryptocurrency services and ensure the security of digital assets in the context of an ever-changing cyber threat landscape.