Cybercriminals are using fake versions of the Ledger Live app to steal cryptocurrency from Mac users by tricking them into revealing their seed phrases.
According to research by Moonlock Lab and Jamf, these phishing campaigns have grown more sophisticated since August 2024, evolving from basic data theft to full wallet drain operations.
Ledger, a hardware wallet designed to keep crypto assets secure offline, relies on a 12- or 24-word seed phrase for wallet recovery. This phrase is meant to remain private and offline at all times.
Malware Evolution: From Data Theft to Full Wallet Drains
Initial versions of these fake Ledger apps could only capture passwords and wallet metadata. Now, malware like Odyssey and AMOS include convincing phishing screens inside fake apps to prompt users into entering their seed phrases. These phrases are then exfiltrated to attackers’ servers, allowing them to steal all stored assets.
In March 2025, Moonlock Lab identified Odyssey, a macOS stealer created by a threat actor named “Rodrigo.” It replaces the legitimate Ledger Live app and displays a fake “critical error” to convince users to type their seed phrase into a phishing form. That data is then sent to a command-and-control (C2) server via a specific URL structure.
Imitators and Expanding Campaigns
Rodrigo’s tactics quickly caught attention. Other malware families like AMOS adopted similar techniques. A recent AMOS campaign used a DMG file (JandiInstaller.dmg) that bypasses macOS Gatekeeper and installs a trojanized version of Ledger Live. Victims who entered their recovery phrase saw a fake “App corrupted” message while attackers drained their wallets.
Meanwhile, a dark web user going by @mentalpositive claimed to offer an “anti-Ledger” feature in their malware. Although Moonlock hasn’t found full phishing functionality in samples analyzed, strings referencing “Ledger Live” and command-and-control domains suggest development is underway.
New Attack Vectors Identified by Jamf
In May 2025, Jamf researchers uncovered another campaign that uses a PyInstaller-packed DMG file. It loads a phishing interface via iframe inside a fake Ledger Live window. The malware collects seed phrases, browser data, wallet configs, and system information using a combination of AppleScript and Python scripts to maximize data theft while evading detection.
Four Active Campaigns and Growing Dark Web Activity
There are now four known active malware campaigns targeting Ledger users:
- Odyssey by Rodrigo
- Mentalpositive’s in-development stealer
- AMOS-based clones using
JandiInstaller.dmg - A Jamf-documented campaign with iframe-loaded phishing pages
All rely on phishing to bypass Ledger’s physical security model, which never requires seed phrase input via the app or web browser.
How to Protect Your Wallet
- Never enter your seed phrase on any app or website. Only use the physical Ledger device during setup or recovery.
- Download Ledger Live only from Ledger’s official site.
- Ignore any “critical error” or “suspicious activity” pop-ups asking for seed phrases.
- Stay updated by following trusted security researchers like Moonlock Lab and Jamf.
Bottom line: This new wave of phishing attacks shows that hackers no longer rely on traditional malware tactics to breach cold wallets. Instead, they focus on exploiting user trust. Never type your seed phrase into anything other than your physical Ledger device, and always verify software sources.