Ledger Users Targeted by Sophisticated Malware Campaign

Cybercriminals have developed a sophisticated malware campaign targeting Ledger hardware wallet users, specifically those on macOS devices. The malware replaces the legitimate Ledger Live application with a malicious clone, tricking users into revealing their 24-word seed phrases through fake security alerts. Once the seed phrase is entered, the malware sends this sensitive information to attacker-controlled servers, granting criminals complete access to the victim's cryptocurrency wallets.

Moonlock, a cybersecurity firm, discovered this campaign in a May 22 report. The malware not only replaces the real Ledger Live app but also displays convincing pop-up messages claiming suspicious activity on the user’s wallet. These alerts prompt users to enter their seed phrases for verification, which, when complied with, are immediately sent to the attackers' servers. This allows criminals to drain the victim’s cryptocurrency wallets within seconds.

Initially, the attackers could only steal passwords and wallet details. However, over the past year, they have evolved their methods to focus on extracting seed phrases, which provide complete wallet access. The primary delivery method for this malware is the Atomic macOS Stealer, which has been found on at least 2,800 compromised websites. This stealer first infects the target device through these malicious sites, collects personal data, and then replaces the legitimate Ledger Live application with a fake version containing malicious code.

The replacement happens seamlessly, and most victims remain unaware that their Ledger Live app has been compromised. The fake app functions normally until it triggers the fraudulent security alert. Moonlock has been monitoring this campaign since August 2024 and has identified at least four separate active campaigns targeting Ledger users. The attacks appear to be increasing in frequency and sophistication.

Dark web forums show growing discussion about “anti-Ledger” schemes among cybercriminals. Threat actors are actively advertising malware tools with specialized features for targeting Ledger hardware wallet users. However, some advertised tools examined by Moonlock lacked the full functionality promised by sellers. The cybersecurity firm believes these missing features may still be under development, suggesting that future updates to the malware could include more advanced anti-Ledger capabilities.

Security experts recommend several steps to avoid these attacks. Users should be suspicious of any message requesting their 24-word recovery phrase, as legitimate services never ask users to enter seed phrases through pop-up alerts or websites. It is crucial to download Ledger Live only from official sources to avoid compromised versions. Users should also regularly verify their app installations and be cautious when visiting unfamiliar websites. Any unexpected security alerts should be verified through official Ledger support channels before taking action.

Moonlock’s research shows that criminals are specifically targeting the trust users place in Ledger’s reputation. The attacks exploit users’ confidence in the Ledger brand by creating convincing replicas of the official software. The cybersecurity firm has tracked this campaign for eight months with no signs of it slowing down. Dark web activity suggests more sophisticated attacks targeting Ledger users are being planned for future deployment.