Fake Ledger Live Apps Are Stealing Crypto

Cybercriminals are using fake Ledger Live apps and phishing alerts to steal seed phrases, launching malware that silently drains crypto wallets across platforms.

Cybercriminals are using fake versions of Ledger Live — the app used to manage crypto on Ledger wallets — to steal seed phrases and drain s’ funds. Moonlock Lab revealed that since August 2024, at least four active malware campaigns have targeted Ledger Live with phishing attacks.

Initially, fake apps could only steal notes and wallet data. But today, they trick s into giving away their 24-word seed phrase. One tactic, seen in Atomic macOS Stealer (AMOS), involves a fake security alert that asks s to “” their seed phrase. Once typed, it’s sent directly to hackers.

The shift began with the “Odyssey” malware by a hacker named Rodrigo. According to Moonlock, since March 2025, Odyssey has byed Ledger Live’s defenses with a phishing page that urges s to enter their seed to fix a “critical error.”

Rodrigo’s method set off a chain reaction. Another hacker, @mentalpositive, claimed their malware now includes an “anti-Ledger” module. But two samples of their code showed no major changes—only a new server address and name switch from “JENYA” to “SHELLS.”

Meanwhile, a new campaign discovered by Jamf Threat Labs involved an undetectable Mac installer that loads a fake Ledger Live interface. The stealer silently grabs s, files, and wallet data using a mix of Python and AppleScript.

AMOS has also adopted Rodrigo’s phishing scheme. Victims are tricked into launching a terminal file that byes Apple’s security checks, allowing malware to run. If it detects a real system, not a virtual one, it sends stolen files and credentials — including data from Binance and TonKeeper — to a remote server.

With more hackers copying this approach, crypto s are urged to avoid entering seed phrases into apps or pop-ups.