- Security researchers spot fake Ledger Live app targeting Mac users
- The app replaces the legitimate one and shows a fake critical error
- The error requires the user to submit their 24-word seed phrase
Cybercriminals are targeting cryptocurrency owners with Apple Mac devices using a highly sophisticated piece of malware which hides in plain sight and aims to steal their seed phrases.
A ‘seed phrase’ is a 12 or 24-word combination that allows anyone to load an existing wallet into a new device and gain access to all of the funds inside.
In a new report, security researchers Moonlock said there are currently four active campaigns distributing a fake Ledger Live app spoofing an official offering which allows users to send, manage, and track their crypto portfolio.
"High-stakes effort"
The campaign has allegedly been active since August 2024, and although the report doesn’t discuss how the victims end up downloading the fake Ledger Live app, it does detail how it works: It replaces the existing, legitimate app, and then during the login process displays a fake error message.
The “critical error” can only be remedied by submitting the 24-word seed phrase which then immediately gets relayed to the attackers.
“This isn’t just a theft. It’s a high-stakes effort to outsmart one of the most trusted tools in the crypto world,” Moonlock explains. “And the thieves are not backing down.”
“Users should take the news as a clear signal to stay alert,” the researchers concluded, urging users to be wary of phishing emails, to never share their seed phrases with anyone, and to only download cryptocurrency wallet apps from legitimate sources.
In a written statement shared with TechRadar Pro, Ledger's CTO, Charles Guillemet, said the company is "seeing" malware campaigns targeting macOS users, and is urging them to always download Ledger Live exclusively from ledger.com.
"If any interface asks for your seed phrase, it's a scam—no exceptions," Guillemet concluded.
Cryptocurrency users continue to be a major target for cybercriminals everywhere - in the US, users lost around $9.3 billion to various scams in 2024 alone, CoinDesk said, citing an FBI report, a 66% increase compared to 2023.
Via BleepingComputer
You might also like
- Hundreds of masterminds behind most pump-and-dump crypto coin schemes worldwide collect a staggering $250 million annually
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
