Cybercriminals are targeting macOS users with fake Ledger apps that deploy malware to steal seed phrases, which protect access to cryptocurrency wallets.
Ledger is a popular hardware wallet that stores cryptocurrencies offline. Users recover their wallets with a seed phrase, a set of 12 or 24 words that must remain private and offline. Attackers impersonate the Ledger app to trick users into entering their seed phrases on phishing pages.
Moonlock Lab has tracked these attacks since August 2024. Initially, the fake apps stole passwords and wallet info without seed phrases, limiting access. However, recent malware updates now aim to steal the full seed phrase, allowing attackers to drain victims’ wallets.
In March 2025, a threat actor called ‘Rodrigo’ deployed a new macOS malware named ‘Odyssey’ that replaces the legitimate Ledger Live app. Odyssey shows a fake “critical error” screen and asks for the seed phrase, then sends stolen data to Rodrigo’s command server.
This successful approach inspired copycats like the AMOS stealer. Recent AMOS campaigns use DMG files (e.g., ‘JandiInstaller.dmg’) to bypass macOS security (Gatekeeper), install fake Ledger apps, and phish for seed phrases. Victims receive fake “App corrupted” messages to reduce suspicion while attackers steal assets.
Another actor, ‘@mentalpositive,’ has advertised an “anti-Ledger” module on dark web forums, though no working versions have been found.
Researchers at Jamf recently uncovered a similar campaign where a PyInstaller-packed binary in a DMG loads a phishing page via iframe in a fake Ledger interface. These attacks combine phishing for seed phrases with stealing browser data, wallet configurations, and system info.
To stay safe:
- Only download Ledger Live from the official Ledger website.
- Never type your seed phrase into any app or website.
- Seed phrases should only be entered on the physical Ledger device during wallet recovery or setup.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
