Cybercriminals Steal 100% of Cryptocurrency from Ledger Live Users

Cybercriminals have been targeting macOS users with fake Ledger Live applications, designed to steal seed phrases and drain cryptocurrency wallets. This sophisticated phishing campaign has evolved significantly over the past year, with attackers initially focusing on stealing passwords, notes, and wallet details. However, they have since developed the capability to extract seed phrases, which are crucial for accessing and transferring funds from Ledger wallets.

The campaign, tracked by Moonlock Lab since August 2024, involves distributing a malicious clone of the Ledger Live app. Initially, this clone could only gather basic information about the wallet's assets but could not extract funds. Within a year, the attackers have refined their techniques to steal seed phrases, allowing them to empty the wallets of their victims. The phishing messages used in these attacks warn users about supposed suspicious activity, tricking them into entering their seed phrases. Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets almost instantly.

One notable example is the Atomic macOS Stealer (AMOS), which disguises a malicious file as a legitimate download. This file steals personal data and replaces the real Ledger Live app with a fake clone. The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase. Once the seed phrase is entered, it is sent to the attacker's server, compromising the user's assets.

Another significant development came from a threat actor known as Rodrigo, who introduced a game-changing feature in his Odyssey stealer. This stealer bypasses Ledger Live’s defenses with a sophisticated phishing scheme, retrieving the username from the user's system and passing it to an HTML phishing page. The page presents a deceptive “critical error” message, claiming that the user must enter their 24-word seed phrase to fix the issue. If the user complies, the seed phrase, along with the username, is sent to a command-and-control (C2) server.

The impact of Rodrigo’s techniques has set a dangerous precedent, with other threat actors following suit. For instance, another threat actor, @mentalpositive, advertised on a dark web forum that their malware now includes an “anti-Ledger” feature. This module replaces the Ledger Live app to phish for seed phrases. However, analysis of two samples of @mentalpositive’s stealer reveals no significant changes in evolution, suggesting that the anti-Ledger feature may still be in development.

The growing interest in targeting Ledger Live users is not limited to dark web forums. Recently, a research on a macOS infostealer campaign that also targets Ledger Live users was published. The malicious files associated with this campaign were uploaded to VirusTotal three months earlier, indicating that exploitation efforts began well before the public report. The campaign involves a malicious DMG file that contains a Mach-O binary packed with PyInstaller to evade static detection. When unpacked, it reveals a script that fetches an HTML page and attempts to load a phishing interface via an iframe.

The AMOS stealer, another advanced implementation, has adopted Rodrigo’s playbook, deploying an almost identical phishing page with slight frontend tweaks to target Ledger Live users. The campaign begins with a malicious DMG file that includes a deceptive “Terminal” alias file. If users drag the included shell script into this alias, it executes in their Terminal with their permissions, allowing it to dodge Gatekeeper’s verification. This triggers an obfuscated shell script that performs VM detection to avoid sandboxes. If a virtual environment is not detected, it proceeds with its payload, collecting sensitive data and sending it to a C2 server. The fake Ledger Live app then displays a fraudulent welcome screen, luring victims into clicking “Restore” and entering their seed phrase.

The AMOS stealer’s cunning phishing page is a direct response to Ledger Live’s wallet security, which locks seed phrases beyond the reach of typical stealers. Unlike softer targets, Ledger Live’s defenses demand this elaborate phishing charade, proving it’s a vault that attackers can’t crack without duping users first.

At the time of this report, four active campaigns are targeting Ledger Live users, and the attackers are only getting smarter. This isn’t just a theft; it’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world. Users should take the news as a clear signal to stay alert and observe the following advice: watch out for phishing pages, especially those warning of a “critical error” and asking for the 24-word recovery phrase; never share your seed phrase with anyone or on any site, no matter how legitimate it looks; only download Ledger Live from the official source; and stay informed by following trusted research teams for early warnings and threat breakdowns.