Hackers exploit App to steal crypto from macOS users

In a growing wave of cyberattacks targeting cryptocurrency users, hackers are deploying counterfeit versions of the Ledger Live app to trick macOS users into revealing their seed phrases. 

The malicious campaign involves replacing the legitimate Ledger Live desktop application with a nearly identical clone that prompts users to input their recovery phrase through a deceptive pop-up message. 

Once the phrase is entered, attackers gain full control of the victim’s wallet.

“Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds,” Moonlock researchers said.

“Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims.”

The Atomic macOS Stealer, a malware specifically designed to harvest sensitive data has been discovered on at least 2,800 compromised websites (malicious ads). Moonlock says this poses a significant threat to unsuspecting users downloading apps outside of official channels.

Moonlock also uncovered evidence that the Atomic macOS Stealer was advertised on the dark web, though at least one variant failed to steal seed phrases as promised.

Ledger has previously warned its users against inputting their seed phrase into any device or app, except when setting up a new hardware wallet offline, and advises against storing seed phrases digitally or using unverified devices.

As more sophisticated crypto-related malware evolve, cybersecurity professionals stress the importance of personal security hygiene. 

Personal security hygiene includes strong passwords, verified software sources, and awareness of phishing techniques. 

Users are urged to download Ledger Live only from official sources whilst remaining vigilant for signs of tampering or unexpected prompts.