Cybercriminals are using fake Ledger Live apps and phishing alerts to steal seed phrases, launching malware that silently drains crypto wallets across platforms.

Cybercriminals are using fake versions of Ledger Live — the app used to manage crypto on Ledger wallets — to steal seed phrases and drain users’ funds. Moonlock Lab revealed that since August 2024, at least four active malware campaigns have targeted Ledger Live with phishing attacks.

Initially, fake apps could only steal notes and wallet data. But today, they trick users into giving away their 24-word seed phrase. One tactic, seen in Atomic macOS Stealer (AMOS), involves a fake security alert that asks users to “verify” their seed phrase. Once typed, it’s sent directly to hackers.

The shift began with the “Odyssey” malware by a hacker named Rodrigo. According to Moonlock, since March 2025, Odyssey has bypassed Ledger Live’s defenses with a phishing page that urges users to enter their seed to fix a “critical error.”

Rodrigo’s method set off a chain reaction. Another hacker, @mentalpositive, claimed their malware now includes an “anti-Ledger” module. But two samples of their code showed no major changes—only a new server address and name switch from “JENYA” to “SHELLS.”

Meanwhile, a new campaign discovered by Jamf Threat Labs involved an undetectable Mac installer that loads a fake Ledger Live interface. The stealer silently grabs passwords, files, and wallet data using a mix of Python and AppleScript.

AMOS has also adopted Rodrigo’s phishing scheme. Victims are tricked into launching a terminal file that bypasses Apple’s security checks, allowing malware to run. If it detects a real system, not a virtual one, it sends stolen files and credentials — including data from Binance and TonKeeper — to a remote server.

With more hackers copying this approach, crypto users are urged to avoid entering seed phrases into apps or pop-ups.

Hi, I’m Kiara Fabbri a Tech News Writer at WizCase. I'm a multimedia journalist with a keen interest in innovative and immersive news storytelling. Fluent in three languages—Italian, English, and Spanish—I'm deeply engaged in all facets of news reporting. I am currently undertaking a Ph.D. exploring VR applications in journalism. Following my studies in psychology (BSc) and political psychology (MSc), I embarked on a three-year journey across South America. During this time, I undertook a 4000 km solo bicycle trip from Chile to Brazil. There, I camped, cooked on the road, and volunteered in various facilities. It was during these travels that I discovered my passion for journalism. Subsequently, I pursued a Master's program in journalism innovation and enterprise. My career in journalism has seen me produce VR immersive experiences covering a range of topics. These include documenting an Anti Militaristic raid of a NATO Base, life in the Brazilian Favelas, the recent violent protest clashes in Buenos Aires and finally social projects run by Skaters in the Argentinian ghettos. In addition to my journalistic endeavours, I also practice parkour, a discipline I have cultivated over several years now. I love to make the most of this skill in my journalistic style; for example, it has enabled me to capture dynamic footage from heights during the recent violent clashes in Buenos Aires. There, I scaled heights and employed a long stick on my camera to create aerial 360° views. Through my dedication to pushing the boundaries of journalism, I am committed to amplifying voices, sparking meaningful conversations, and driving positive change in the world.