HQ/EMEAFind out how we can help your business
A newly discovered cybercriminal campaign uses fake Ledger apps to target macOS users. Reports revealed that the campaign could steal seed phrases and compromise access to cryptocurrency wallets.
These activities deploy malware disguised as legitimate wallet applications, tricking victims into revealing sensitive information that protects their digital assets.
Ledger, a widely used hardware wallet, is known for securely storing cryptocurrency offline (cold storage).
It uses a seed or recovery phrase, typically 12 or 24 randomly generated words, to allow users to recover their wallets in case of device loss or forgotten access credentials. This phrase is intended to remain private and offline.
Cybercriminals developed the fake Ledger apps to deceive users.
According to investigations, the attackers have developed fake Ledger apps that impersonate the official hardware wallet’s site.
These fake apps prompt users to input their seed phrases into phishing forms, often under the pretence of resolving an error or restoring account access.
The researchers have been monitoring these activities since August 2024. Initially, the clones could only extract passwords, notes, and wallet details—insufficient for accessing funds.
However, newer versions focus explicitly on capturing seed phrases, enabling the theft of the entire wallet’s contents. By March, researchers had identified a threat actor using the alias “Rodrigo”, who introduced a new macOS stealer known as “Odyssey.”
This malware replaces the genuine Ledger Live app on the victim’s device, embedding a phishing interface that displays a fabricated critical error message and instructs users to input their 24-word seed phrase.
Furthermore, Odyssey collects macOS usernames and transmits the stolen data to an attacker’s C2 server. Its effectiveness soon attracted attention on cybercriminal forums, leading to the emergence of similar campaigns using a known malware strain called AMOS.
Experts advise users to download the Ledger Live app exclusively from the official Ledger website to mitigate the risk of such attacks.
The seed phrase should only be used in specific scenarios, such as restoring a wallet or setting up a new device. Lastly, it must be entered solely on the physical Ledger hardware, never on any app or website.
