Key Takeaways:
Cybercriminals are increasingly targeting macOS users with counterfeit Ledger Live applications to pilfer seed phrases and cryptocurrency assets.
The main malware identified in these attacks is the Atomic macOS Stealer, which has been discovered on more than 2,800 compromised websites.
Moonlock has raised alarms about the advancing tactics of these attackers, highlighting multiple ongoing campaigns.
A new wave of malware threats aimed at macOS users is taking advantage of trust in Ledger Live, a widely-used cryptocurrency wallet management application. Cybersecurity firm Moonlock reports that hackers are distributing fraudulent versions of the app to capture users’ seed phrases and deplete their crypto wallets.
In a report released on May 22, Moonlock detailed how malicious users have been deploying trojanized copies of the Ledger Live app to mislead individuals into sharing their recovery phrases through deceptive pop-up prompts. The firm noted a significant evolution in these threats, stating, “Within a year, they have learned to steal seed phrases and empty the wallets of their victims.”
Atomic macOS Stealer Emerges as Key Tool in Crypto Theft Campaigns
The Atomic macOS Stealer is one of the main tools utilized for these attacks, specifically designed to extract sensitive information like passwords, notes, and cryptocurrency wallet details. Moonlock found this malware embedded in at least 2,800 compromised websites.
Once the malware is installed, it silently substitutes the legitimate Ledger Live application with a counterfeit version that generates fake alerts to harvest seed phrases. If a user inputs their 24-word recovery phrase into this imitation app, that information is transmitted to servers controlled by the attackers.
Moonlock explained, “The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase. Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.”
Moonlock has been monitoring this type of malware since August and has identified at least four active campaigns associated with it.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake password manager installers.
Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
— Moonlock (@moonlock_com) May 20, 2025
While some vendors on the dark web claim to provide malware with advanced “anti-Ledger” capabilities, Moonlock discovered that many of these tools remain under development. Nevertheless, this has not deterred attackers, who continue to refine their strategies.
Moonlock strongly emphasized, “This isn’t just a theft. It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. And the thieves are not backing down.”
Users are advised to exercise caution by avoiding downloads from unofficial sources, being skeptical of unexpected pop-ups requesting a seed phrase, and never sharing their recovery phrase—regardless of how legitimate the interface appears.
Microsoft Takes Legal Action Against Lumma Stealer Malware
In a related development, Microsoft announced on May 21 that it has initiated both legal and technical measures to disrupt Lumma Stealer, a notorious malware operation involved in large-scale information theft that includes data from crypto wallets.
The tech giant stated that a federal court in Georgia had authorized its Digital Crimes Unit to seize or block nearly 2,300 websites associated with Lumma’s operations. In collaboration with the U.S. Department of Justice, Europol’s European Cybercrime Center, and Japan’s Cybercrime Control Center, Microsoft aided in dismantling the command-and-control network of Lumma as well as the marketplaces where the malware was sold to cybercriminals.
Initiated in 2022 and regularly updated, Lumma has been disseminated through underground forums and used to collect passwords, credit card information, bank credentials, and data related to digital assets.
The post Fake Ledger Live Apps Target macOS Users in Crypto-Stealing Malware Scam appeared first on Finance Newso.
