Cybercriminals Target Cryptocurrency Users With Fake Ledger Live Apps

Cybercriminals have been exploiting a malicious scheme to target cryptocurrency users by replacing the legitimate Ledger Live app with a fake version. This counterfeit app is designed to steal seed phrases, which are crucial for accessing and managing cryptocurrency wallets. Once the seed phrases are obtained, the hackers can drain the victims' crypto assets. The malware used in this scheme includes Odyssey and AMOS, which are specifically targeting macOS users. These fake apps are distributed through various means, including malicious Microsoft Office add-in bundles, to deceive users into downloading and installing them.

One way the scammers replace the real Ledger Live app with a clone is through the Atomic macOS Stealer, designed to steal sensitive data, which Moonlock said it has found lurking on at least 2,800 hacked websites. After infecting a device, Atomic macOS steals personal data, passwords, notes and wallet details and replaces the real Ledger Live app with a phony. The fake app then displays a convincing alert about suspicious activity, prompting the user to enter their seed phrase. Once entered, the seed phrase is sent to an attacker-controlled server, exposing the user’s assets in seconds.

Moonlock has been tracking malware that's distributing a malicious clone of Ledger Live since August, with at least four active campaigns, and they think hackers are “only getting smarter.” Threat actors on the dark web are offering malware with “anti-Ledger” features. However, one of the examples examined by Moonlock did not feature the full anti-Ledger phishing functionality advertised. The firm speculates those features could “still be in development or is forthcoming in future updates.”

The SparkCat campaign, discovered by Kaspersky experts, is another example of how cybercriminals are using Optical Character Recognition (OCR) technology to steal recovery phrases from crypto wallets. This campaign highlights the evolving tactics used by hackers to compromise cryptocurrency security. The use of OCR allows attackers to extract sensitive information from screenshots or images, making it easier to steal seed phrases and other critical data.

The impact of these attacks is significant, as seed phrases are the backbone of cryptocurrency security. Once a seed phrase is compromised, the attacker gains full control over the associated wallet, leading to the loss of all funds stored within. This underscores the importance of using legitimate and secure applications for managing cryptocurrency assets. Users are advised to be vigilant and verify the authenticity of any software they download, especially when it comes to managing sensitive financial information.

To avoid falling prey to similar malware scams, the cybersecurity firm recommends being wary of any page that warns of a critical error and asks for a 24-word recovery phrase. At the same time, never share a seed phrase with anyone or input it on any website, no matter how legitimate it looks and only download Ledger Live from its official source.

The rise in cybercrime targeting cryptocurrency users is a growing concern, as the value of digital assets continues to increase. Hackers are constantly developing new methods to exploit vulnerabilities and steal funds. The use of fake apps and malware to steal seed phrases is just one of the many tactics employed by cybercriminals. It is crucial for users to stay informed about the latest threats and take proactive measures to protect their digital assets. This includes using reputable security software, enabling two-factor authentication, and being cautious of phishing attempts and malicious downloads.