A surge in cybercriminal activities has been reported, with malicious actors deploying counterfeit Ledger applications to deceive macOS users into divulging their cryptocurrency seed phrases. These seed phrases, critical for securing access to digital wallets, are now the primary target for these new types of malware aimed at compromising users’ digital assets.
According to a Moonlock Lab report, the attacks involve sophisticated counterfeit applications that impersonate the legitimate Ledger service, which is widely recognized for providing secure cold storage for cryptocurrencies. The fake apps are designed to trick users into entering their seed phrases on phishing pages disguised as the genuine interface.
As noted by the researchers, the malicious tactics have evolved significantly since their initial detection in August 2024, when cybercriminals could primarily access less sensitive information. Now, however, they have refined their methods to extract seed phrases directly from victims, enabling them to drain entire cryptocurrency wallets.
In March 2025, a new malware variant named ‘Odyssey’ was identified by Moonlock Lab, which directly replaces the authentic Ledger Live application on infected devices, further enhancing the effectiveness of the phishing campaign. As the landscape of these threats continues to evolve, it has spurred a proliferation of similar attacks, with other malware groups replicating these methods to target unsuspecting users across various online communities.
The researchers also highlighted a recent report from Jamf, detailing additional phishing efforts that leverage iframe technology to mimic the Ledger interface, further underscoring the need for vigilance among cryptocurrency users.
Users are advised to strictly download Ledger applications only from the official website and to enter their seed phrases only when directly restoring a wallet on the physical Ledger device — an action that should never occur within an app or online setting.