Ledger wallet users are targeted through an advanced hunting campaign that includes LEDGER Live applications on MacOS.
According to a report From Moonlock Lab Cyblesecurity LAB, attackers publish harmful programs that replace the project Ledger Live project with a designer to steal expressions of 24 -word users recovering, and in some cases, encryption assets.
Once inserted, these expressions are transferred to the attackers -controlled servers, allowing them to deplete the coded currency governor immediately.
How happens?
The campaign relies on an atomic MacOS Stealer variable, which MOONLOCK has been found on more than 2,800 websites on the Internet.
The atomic thief, also known as Amos (MacOS Stealer atomer), is a harmful software strain designed for MacOS and sensitive user information stolen.
It was first noticed in early 2023, quickly gained traction in the underground forums due to the MAS service model (MAAS), where Internet criminals can rent it and publish attacks without technical experience.
Once the user downloads malware, not only collects passwords, notes and portfolio data, but also exchanges the Ledger Live application using cloning.
The fake application then leads to a deceptive alert about “suspicious activity”, which causes the user to enter the phrase seeds to secure his wallet.
Initially, MoonLock indicated that the cloned application was used only to steal sensitive user data, but the attackers “learned to steal seed phrases and empty their victims.”
Moonlock researchers have followed at least four ongoing campaigns using this method and warned that these actors in the threat “have become more intelligent”.
Moonlock has been tracking malware since August and has so far has determined at least four active operations targeting the professor’s notebook users.
In addition to anxiety, researchers also found dark web forums that are increasingly declaring harmful programs with the potential of “fighting”, although the advantages announced in one cases were not working completely yet.
This is still in development or “coming in future updates”, as researchers speculated.
“This is not just a theft,” said researchers in Monok.
Other attack tankers targeting the professor’s book users
During the past year, LEDger users faced a set of hunting methods.
In one Reddit mail As of January 2024, one of the victims described how their computer was silently at risk, which led to a value of $ 15,000 from Bitcoin, Ethereum, Cardano and Litecoin after entering the phrase seeds to what they thought was the factory reset at Ledger Live.
The attackers also took advantage of the community channels. On May 11, 2025, the supervisor account on the official Discord Servant Ledger was hacked.
The attacker used high permissions to warn the sound from the legal users and publish the robot that published links to the specified hunting site that simulates the professor’s book verification page.
Meanwhile, in late April, the fraudsters sent material messages to users who impersonate the official professor’s notebook.
These messages included the company’s brand, reference number and QR code that directs the beneficiaries to enter their seed phrase in order to “update a decisive safety”.
How do you stay safe?
Moonlock advised users to avoid entering the 24 -word recovery phrase in any application, website or model, regardless of how they appear.
The warning of a “fatal mistake” or requesting the verification of the wallet has always demanded signs of a fraud.
The company also urged the users to download the Ledger Live exclusively from the official sources and warned that there was no real service for the professor’s book any time before the phrase recovery under any circumstances.
The publication here is how the fraudsters target users of the professor’s notebook to theft on MacOS first appeared on Invezz
