Fake Ledger Live Apps Are Stealing Crypto

Cybercriminals are using fake Ledger Live apps and phishing alerts to steal seed phrases, launching malware that silently drains crypto wallets across platforms.

Cybercriminals are using fake versions of Ledger Live — the app used to manage crypto on Ledger wallets — to steal seed phrases and drain users’ funds. Moonlock Lab revealed that since August 2024, at least four active malware campaigns have targeted Ledger Live with phishing attacks.

Initially, fake apps could only steal notes and wallet data. But today, they trick users into giving away their 24-word seed phrase. One tactic, seen in Atomic macOS Stealer (AMOS), involves a fake security alert that asks users to “verify” their seed phrase. Once typed, it’s sent directly to hackers.

The shift began with the “Odyssey” malware by a hacker named Rodrigo. According to Moonlock, since March 2025, Odyssey has bypassed Ledger Live’s defenses with a phishing page that urges users to enter their seed to fix a “critical error.”

Rodrigo’s method set off a chain reaction. Another hacker, @mentalpositive, claimed their malware now includes an “anti-Ledger” module. But two samples of their code showed no major changes—only a new server address and name switch from “JENYA” to “SHELLS.”

Meanwhile, a new campaign discovered by Jamf Threat Labs involved an undetectable Mac installer that loads a fake Ledger Live interface. The stealer silently grabs passwords, files, and wallet data using a mix of Python and AppleScript.

AMOS has also adopted Rodrigo’s phishing scheme. Victims are tricked into launching a terminal file that bypasses Apple’s security checks, allowing malware to run. If it detects a real system, not a virtual one, it sends stolen files and credentials — including data from Binance and TonKeeper — to a remote server.

With more hackers copying this approach, crypto users are urged to avoid entering seed phrases into apps or pop-ups.