Hackers Use Fake Ledger Apps to Steal Mac Users’ Seed Phrases | Latest Malware Campaigns Exposed

Table of Contents

•  What’s Happening: Fake Ledger Apps on macOS Are Targeting Crypto Wallets
• What Is Ledger and Why Is It Targeted?
• How Hackers Are Exploiting Ledger Users on macOS
• The Evolution of This Campaign: From Password Theft to Full Wallet Hijack
• How Odyssey Malware Works
• Rise of Copycats: AMOS Malware and ‘@mentalpositive’
• The Latest Attack Variant: PyInstaller-Loaded Ledger Clone
•  Why Seed Phrase Theft Is So Dangerous
• How to Protect Yourself from Fake Ledger Apps
• What to Do If You’ve Entered Your Seed Phrase on a Suspicious App
• Real-World Impact: This Isn’t Just Theoretical
•  Conclusion
• Frequently Asked Questions (FAQs)

 What’s Happening: Fake Ledger Apps on macOS Are Targeting Crypto Wallets

In the ever-evolving landscape of cyber threats, macOS users have become the latest targets of sophisticated phishing attacks leveraging fake Ledger apps. These apps are designed to mimic the legitimate Ledger Live cryptocurrency wallet application, with one nefarious goal—to steal users’ recovery seed phrases, which are the keys to their digital assets.

This blog explores how cybercriminals are weaponizing fake Ledger apps, the role of malware like Odyssey and AMOS, the evolution of these campaigns, and most importantly—how to stay protected.

What Is Ledger and Why Is It Targeted?

Ledger is one of the most trusted hardware wallet solutions for securely storing cryptocurrencies offline. It uses “cold storage” to protect private keys from online threats.

Every Ledger wallet is backed up by a seed phrase, typically 12 or 24 random words that can recover the wallet on a new device. If this phrase is compromised, an attacker can fully access and drain the wallet’s contents—making it a prime target.

 How Hackers Are Exploiting Ledger Users on macOS

Fake Ledger Apps Masquerade as Legitimate Software

Cybercriminals are distributing malicious clones of Ledger Live apps through trojanized DMG installers on macOS. Once installed, the app opens a phishing interface resembling the original, prompting users to input their 24-word seed phrase under the guise of “recovering access” or fixing a fake “critical error.”

 The Evolution of This Campaign: From Password Theft to Full Wallet Hijack

 Phase 1: Early 2024 – Stealing Wallet Info (Not Enough to Hack)

According to Moonlock Lab, this campaign began in August 2024, initially aimed at harvesting passwords and wallet metadata. However, without seed phrases, attackers couldn’t access funds.

 Phase 2: March 2025 – ‘Odyssey’ Malware Enters the Scene

In March, a threat actor known as ‘Rodrigo’ introduced Odyssey, a powerful macOS malware that replaced the real Ledger Live app with a trojanized version. This app presented a phishing page asking users to re-enter their seed phrase, effectively handing over full control of their wallet to the attackers.

 How Odyssey Malware Works

• Mimics Ledger Live app interface.

  
  

• Shows a fake “critical error” pop-up to create urgency.

• Loads a phishing screen directly in-app.

• Exfiltrates seed phrase and system data to the attacker’s server.

The success of this campaign quickly inspired copycats.

 Rise of Copycats: AMOS Malware and ‘@mentalpositive’

 AMOS (Atomic macOS Stealer)

Following Odyssey, AMOS malware launched its own campaign using files like JandiInstaller.dmg, which:

• Bypassed Apple’s Gatekeeper security.

• Installed a fake Ledger Live app.

• Used phishing screens that mimicked Rodrigo’s.

• Showed a deceptive “App corrupted” message to avoid suspicion while stealing assets.

 Dark Web Activity

A new actor called @mentalpositive began advertising an “anti-Ledger” module, though no active samples have been found yet. This shows ongoing interest in developing tools to exploit Ledger users.

 The Latest Attack Variant: PyInstaller-Loaded Ledger Clone

 PyInstaller-Packed Binary

Researchers from Jamf recently uncovered a new variant involving:

• A DMG file that contains a PyInstaller-packed malware binary.

• The fake app loads a phishing page through an iframe.

• Targets not only Ledger seed phrases but also browser data, hot wallet configs, and system info.

This hybrid attack model allows broader exploitation beyond just Ledger users.

 Why Seed Phrase Theft Is So Dangerous

The 24-word seed phrase is the master key to a crypto wallet. Once entered on a phishing page:

• Hackers gain full, irreversible control over all assets.

• They can transfer funds without detection or rollback.

• Even resetting the wallet doesn’t prevent future compromise if the phrase is leaked.

How to Protect Yourself from Fake Ledger Apps

✅ 1. Download Only from Official Sources

Always download Ledger Live from the official website:
https://www.ledger.com/ledger-live

 2. Never Type Seed Phrase on a Mac

Seed phrases should only be entered on your physical Ledger device, never on your Mac, browser, or any app.

 3. Use Built-in macOS Security Tools

Enable Gatekeeper and System Integrity Protection (SIP). Also, consider a third-party endpoint security solution.

4. Monitor for Suspicious Behavior

Be wary of:

• Sudden “critical error” messages from crypto apps.

• Any app asking for your seed phrase.

• New apps named similar to Ledger, like “JandiInstaller” or “Terminal.”

 5. Check App Signatures and Certificates

Verify digital signatures and ensure apps are from legitimate Apple-registered developers.

 What to Do If You’ve Entered Your Seed Phrase on a Suspicious App

1. Immediately transfer funds to a new wallet.

2. Reset your Ledger device with a new seed phrase.

3. Monitor blockchain transactions for suspicious activity.

4. Report the incident to Ledger and cybersecurity agencies.

 Real-World Impact: This Isn’t Just Theoretical

Numerous macOS users have fallen victim to these attacks—especially those new to crypto who might trust a clean-looking app interface. With the increase in Trojan installers bypassing Apple defenses, even tech-savvy users are at risk.

The growing popularity of cold wallets like Ledger makes them a natural target for well-funded attackers, especially with the rise of copycat malware and dark web interest in developing new modules.

 Conclusion: Stay Alert, Stay Offline

The core lesson: your seed phrase is sacred.
Never type it anywhere except your Ledger device. Even if the interface looks real, malware today is deceptively sophisticated.

Ledger wallets offer great security—but only when used properly. No app, update, or error message should ever ask for your seed phrase.

Cyber hygiene and user awareness are now just as critical as the technology itself.

Frequently Asked Questions (FAQs)

What is the fake Ledger app malware targeting Mac users?

Cybercriminals are using Trojanized Ledger Live clones on macOS to steal seed phrases through phishing interfaces embedded within fake apps.

How do hackers use fake Ledger apps to steal crypto?

They trick users into typing their 24-word seed phrase into a phishing screen, allowing them full access to victims' crypto wallets.

What is a seed phrase, and why is it sensitive?

A seed phrase is a 12 or 24-word code that allows users to recover cryptocurrency wallets. If stolen, attackers can empty your wallet.

What is the Odyssey malware used in Ledger phishing attacks?

Odyssey is a macOS malware variant that replaces the original Ledger Live app and loads a fake recovery screen to steal seed phrases.

Who is ‘Rodrigo’ in the Ledger malware campaign?

Rodrigo is the alias of a threat actor who deployed the Odyssey stealer, targeting Mac users with fake Ledger interfaces.

What is AMOS malware, and how is it related to Ledger scams?

AMOS is a macOS stealer that mimics Odyssey’s techniques, using DMG files to install fake Ledger apps and phish for seed phrases.

What is the role of Moonlock Lab in identifying these threats?

Moonlock Lab tracks the evolution of fake Ledger app campaigns and reports on new variants like Odyssey and AMOS.

How can users identify a fake Ledger Live app?

Check digital signatures, only download from Ledger’s official site, and be cautious of DMG installers from unknown sources.

What does a Ledger phishing page look like?

It mimics Ledger’s recovery interface and prompts users to input their full 24-word seed phrase, often after showing a fake error.

Why do hackers want my Ledger seed phrase?

Because it gives them complete control over your crypto wallet, allowing them to transfer and steal all assets instantly.

Is macOS Gatekeeper bypassed in these attacks?

Yes, certain DMG files used in these attacks can bypass Gatekeeper, allowing installation without alerting users.

How is the phishing interface embedded in the fake Ledger app?

Some attacks use iframes or embedded HTML pages within PyInstaller-packed binaries to present phishing prompts.

What should I do if I entered my seed phrase in a fake app?

Immediately transfer funds to a new wallet, reset your Ledger device, and generate a new seed phrase.

Are these Ledger phishing campaigns still active in 2025?

Yes, multiple active campaigns have been identified in 2025, including new malware variants and distribution methods.

Is the official Ledger Live app safe to use?

Yes, but only if downloaded from the official Ledger website. Avoid third-party sources and fake versions.

What is the JandiInstaller.dmg file?

It is a fake macOS installer used in AMOS campaigns to install trojanized Ledger apps that execute phishing attacks.

What is the anti-Ledger module seen on dark web forums?

An advertised malware toolkit meant to exploit Ledger users, though working versions haven’t been confirmed publicly.

How do fake Ledger apps avoid detection?

They use realistic app interfaces, social engineering (like fake error messages), and bypass macOS protections like Gatekeeper.

Can Apple’s built-in security stop these fake Ledger apps?

Not always. Some malware can bypass Gatekeeper, and users often unknowingly grant permissions.

Why are macOS users targeted in crypto phishing campaigns?

Because macOS users are often perceived as wealthier and less familiar with crypto hygiene, making them appealing targets.

What does Jamf’s research reveal about the attacks?

Jamf found new campaigns using DMG files and phishing pages embedded via iframe to steal Ledger seed phrases and browser data.

Are hot wallets also targeted in these campaigns?

Yes, attackers may also extract hot wallet configurations and credentials from infected systems.

How do these campaigns spread the fake Ledger apps?

Often through phishing emails, cracked software websites, or underground forums offering “new versions” of Ledger Live.

Is entering my seed phrase on a Mac ever safe?

No. Seed phrases should only be entered directly on the Ledger hardware device, not on any computer or app.

How can I verify my Ledger Live app is legitimate?

Check the app’s digital certificate, version number, and source. Avoid installing from unofficial sites or torrent platforms.

Can malware steal my crypto without my seed phrase?

In some cases, if your wallet is unlocked and browser data is accessible, malware may extract keys—but seed phrase theft ensures full access.

What’s the difference between cold and hot wallets?

Cold wallets (like Ledger) are offline and more secure; hot wallets are online and more vulnerable to malware attacks.

How often are new Ledger phishing threats discovered?

Multiple times a year, with increasing sophistication and variations as attackers learn and copy each other.

What should Ledger users do to stay secure in 2025?

Use only official apps, never type seed phrases into apps or browsers, and enable all macOS security protections.

Where can I report a fake Ledger app or phishing attempt?

Report to Ledger Support and your local cybersecurity agency for further investigation.