Bitcoin Forum

There is a new scam that targets Ledger and Ledger Live users on macOS. It's a phishing campaign meant to get victims' recovery phrases and steal their crypto. Most malware is created for Windows but users of other OS's must also be careful.

A person can get infected with an Atomic macOS Stealer malware from close to 3000 hacked websites. If that happens, the malware will look for the genuine Ledger Live app on your computer. If it finds it, the malware will uninstall Ledger Live and replace it with a fake and malicious app. When you run this software, you will see a pop-up notifying you of “suspicious activity” and "critical errors." To fix the problem and recover your coins, the app will ask you to enter your seed phrase.

You know what happens if you do. Your wallets will be drained and the scammers will steal all they can.
Take good care of your seeds and keys!


More information is available below:
https://x.com/BitcoinNewsCom/status/1926755303283978477

Years back a lot of people claimed MacOS was immune to phishing attacks but in recently it proves otherwise that the internet generally isn't a safe place instead person care is more important especially for us who deal with crypto and bitcoin especially.

This fake ledger live app has been discussed if can remember but it was only targeting windows only but today it's more like general attacks, we just have to be careful. Probably airgapped device for a cold wallet will be better so we don't come in contact with this phishing attacks.

Even if it once happened like that, not anymore this time around, because scammers are also advancing more in their evil ways, they can penetrate on anything they wish to, the only way for us to be safe is when we could acheive the maximum security measures from our end, so we don't get engaged on malicious link, phishing sites and anything that could render vulnerability to us that we got attacked.

It's a reminder to anyone who thinks that I am using Mac and iOS so I am completely safe from malware. :D

No one is safe when they are in the space (online) so they must be keep looking for the pitfalls or better just don't install any apps from websites too often and regarding crypto, Ledger is fcuked up for a while so I wonder anyone still using it? Deserve to get phished...

An operation system is not able to secure users if users are carelessly. From Windows, MacOS to Linux, there are bad people and attackers who want to do their "dark" jobs for stealing sensitive information and money of other people. You are only safe if you are careful with your practice, be knowledgeable about security that helps your practice enhancement, and if possible, manage to have AV software on your devices.

The first and most important protection layer is your carefulness, nothing else.

No operating system is completely safe from malware, and macOS is no exception but at least better than Windows, which faces tens of thousands of malware threats. While there are also some common Trojans for macOS, their number is minute compared to those found on Windows, likely due to Windows' larger global usage.

As more and more people start to use macOS, it could draw more attention from attackers yet, users are often the first point of vulnerability... if they avoid risky behaviors, they are far less likely to be affected

This is what I am talking about, windows affected mostly because more apps available for people to download which includes OS itself so piracy is what makes the platform vulnerable not the actual one. Anyway as you and others said no OS is safe, we ought to keep ourselves secured in every possible way but the fact is we can never be sure because some attacks are so complicated that we only know when attackers asking for ransom. That's why don't take chances move to airgapped device so that you can be sure it's safe.

I had already heard something about this AMOS macOS Stealer
Look at the image of the “advertisement” for this malware:

https://www.talkimg.com/images/2025/05/27/UXaVYo.png
Source: https://www.kandji.io/blog/amos-macos-stealer-analysis

the part that mentions the main wallets is quite scary  :o

I still don't understand how this malware manages to uninstall one program and install another on top of it
Wouldn't it trigger any permissions in MacOs before making these changes?

Linux and Mac systems are generally thought of as being more secure than Windows. Overall that's true. Windows has way too many vulnerabilities and vectors of attack. But this is also a question of which operating system is worth more to attack and spend time customizing attacks. 8 and perhaps 9/10 computers run Windows worldwide. Scam artists are more likely to get the results they desire from the OS that's mostly used. It's a larger attack surface.

No idea brother. Perhaps the victim gives the malware all the permissions it needs unknowingly when it interacts with it and gets the computer infected.

That's not all, the part of the code that infects Ledger Live and makes it prompts for mnemonic words can be avoided, but the malware scans the user's computer in search of their passwords, sensitive information saved in the browser... I wonder, some people usually take photos of the backup wallet containing the mnemonic words or even in a notepad...

A complete disaster.

The best way to avoid this type of malware is to avoid downloading cracked software and files from shady sites.

If the user operates the PC conscientiously, the chances of getting malware are drastically reduced.

But can't do that with Linux. This is a hint about which OS to use when using crypto.

Cleverly conceived, there is no other way to say it. Many will surely fall for this trap. Is it possible to limit the rights of the user's account on Mac OS to exclude the possibility of malicious programs without the participation of the user of the replace program? This malicious program seems to be behaving like it owns the place.

Exactly. Unless you are cautious and have a healthy dosage of paranoia in you that prevents you from clicking around and downloading everything you see online, your computers will stay clean and malware-free. You can at least separate your most important activities, like dealing with money, and keep it compartmentalized on a safe PC and do other stuff on a different computer if you have to. 

But what if the malware can make it seem like it's the user that gave it the needed rights by successfully replicating and pretending to be him/her? Everything is fine then.

There are two simple solutions to avoid getting this malware:
1. Stop using closed source windows OS
2. Stop using closed source ledger hardware wallets.

Temporary solution could also be to uninstall ledger live app,
hardware wallet can still be used with third party and native wallets, but you won't be able to update firmware.

This is more like an end to an era. In other words, no one is immune from phishing and other forms of attack irrespective of the device you are using. I have friends that once boasted of being 100% secured due to their gadgets  but this new development is an eye opener to all that it has become more of safe practice than reliant on gadgets.

Where is the safe place to install apps from at this point because there were emphasis to use only official sites to download apps? I know there have been serious focus on Ledger by scammers, which makes it a bit scary to even use.

Yea, take good care of your seeds. It used to be windows and not the untouchables are not touchable. No one is spared from the possibility of a malware attack.
Download the original software from the official websites.
Have updated antivirus/ antimalware software and more often, scan your computer.
And yes, scan your computer without internet connection.

If anybody buys a Ledger and is serious, responsible, and careful enough in making sure he/she's safe every step of the way, he/she would easily avoid falling to this scam.

We aren't short of reminders and warnings not to enter our seed phrase anywhere, except perhaps directly on the device itself. For some reasons, users end up entering their seed phrase on an app or a link, form, site, chat with an official support staff, whatever.

The warning isn't rocket science. It's simply saying not to enter the seed phrase anywhere. What's so hard to understand that?

I'll try to simplify it:

On a compromised site, they'll use one of those fake CAPTCHA's that ask users to prove they're not a robot > users will click on the "I'm not a robot" box to complete it, but by doing that, it'll trigger a Binance smart contract that delivers a command to the clipboard ^{[responsible for downloading & installing the malware]} > On the next step ^{[verification window]}, they'll ask users to run a certain command in terminal and by doing that, they'll be running the script for them.
^{- For more information, refer to this blog post: Over 2,800 hacked websites are infecting Macs with Atomic Stealer (https://moonlock.com/hacked-websites-atomic-stealer)}

https://www.talkimg.com/images/2025/05/29/UXC9zj.jpeg

This is not a Windows problem. It's a malware that targets and attacks macOS, not Windows users.

If a malware can be configured to replicate Ledger Live and try to trick Ledger users, it can also be made to replicate other software, like Trezor Suite, etc. The brand isn't important here. Ledger wasn't chosen because it's closed-source but because scammers know that there are more people using Ledger than other hardware wallet brands. They attack there where they believe there are the greatest odds to succeed.


Nothing changes. You are still safe. This isn't a hack where some scammers have devised a way to steal from you without your input and knowledge. It's social engineering where the user sends them their keys because they were tricked. Don't get tricked. How often have you given your physical wallet to a stranger on the street who asked for it? My guess is 0. 

It's still from official sources and making sure you verify the signatures and authenticity of the software to be certain it came from their development team. 

Notorious Ledger's subscription-based cloud service for backing up SEED phrases via Ledger Live proves that that it's technically possible to extract SEEDs from users' devices. They are already doing this for users who have subscribed to their backup service, but this mechanism opens the door to potential abuse by attackers ^{no matter who they are} simply because if Ledger Live can interact with a device in this way ^{and device itself allows such kind of interaction}, it's reasonable to assume that malicious actors could eventually reverse-engineer and clone the app to extract SEEDs from unsuspecting users.

This is especially concerning because many users assume that once they’ve downloaded Ledger Live from an official source it remains secure indefinitely. But as we see from the current development it’s possible for malware to replace silently the legitimate app with clones that look identical. Currently, most attacks over LL clones trick users into manually entering their SEED on a fake page. But the concern is that, in time, even this interaction with user may not be necessary for clone to extract SEED.

For those with more technical background, feel free to read the specifics of the current Ledger Live clones over there (https://moonlock.com/anti-ledger-malware).

P.S. I personally can no longer recommend using devices from Ledger HW line and their software.

I use computer a lot, to surf the web and do other things and what I have learnt in the past years is that you can't be too careful using a computer, Windows OS for example is vulnerable, even with the inbuilt Windows Security app, you will still likely to get caught in the trojan Web.

The only way is to avoid Internet connections on your computer but why then do you buy a computer when you cant access the Web? Even antivirus can't safe you most of the times, so it end in a last stop.

The last stop is getting everything money and asset related off your computer and you will be safe even if there are invisible trojan on your computer, get a standalone open source hardware wallet that don't need some app to work.

This type of hardware wallets are called airgapped for this reason, they are always offline, they are already like phone with full HD screen where you can make your transactions with no need to download extra app or connect to computer.

This must be an alarming again with the people who are using with the ledger, Im not familiar with the navigation of the macOS but it seems they have the like defender like does the Windows do which is XProtect and I guess upon their installation there's a permission that they need to turn off this built in security reason why the attacker have the chance get into to their network or the device itself. If you are a common user of your device for sure any kind of prompt related to the security is very alarming and we know that the apple products are one of the secured in terms of protection. So possible there's still an approval of the user right here I guess.

For those who use a Ledger device, they must undoubtedly download its software from its official website without opening or downloading this software from unknown sources, websites or email messages. In fact, some disable XProtect, which weakens the security system, and some users grant programs excessive permissions that could lead to uninstalling one program and installing another, as happened here..

Apple products are indeed more secure, but the fault lies with the user, and all systems are targeted by scammers, so everyone must not neglect the necessary security measures and update their system regularly to prevent any vulnerabilities that any Malware can exploit.

If possible, you can save some money and buy a second computer/laptop. Use one for money and work for instance and the other for your other online habits. That way if you catch a malware because you were uncareful, it won't affect the device that handles your money and crypto.

Many people like to attack Windows and how bad it is. The truth is, you won't suddenly wake up one day and discover that your Windows system got hacked and your computer is infected with malware. It's always a user error that causes these problems and when it happens people blame Windows for it.

I don't want to bash Apple users particularly as other platform's users do the same mistakes. Don't do stuff that you don't understand. From what's visible in the screenshot above I wouldn't ever blindly execute the command(s) in a terminal. It obfuscates by Base64 encryption what is fed as commands to a command shell.

This is so lame, but apparently successful enough when users execute it anyway without any understanding of what they do.

To see what is going to be executed, you could first have a look at it with

But frankly who of those would understand the decrypted shell commands when they didn't immediately stop at seeing something nefarious like echo '<string of Base64 encrypted stuff>' | base64 -D | sh?

It's like a beautiful woman falling for an ugly guy's smooth talk, if a compromised site or software has an elegant enough UI or some basis that justifies the action without giving the user time to think about what they're doing,i.e, a call-to-action like: "your wallet has been compromised, do this or that to update your security, re-enter your recovery phrase here... etc".

At some point, if you trigger the user's fear and immediate action: users, especially the most inexperienced, tend to forget the basics, which is why it's extremely important that we continue to fight against phishing and make as many people who are just starting out aware of the need to take the necessary precautions.

This new type of attack is scary and really innovative on the part of crackers, I myself have come across a site with this type of request (https://bitcointalk.org/index.php?topic=5538641), and obviously I didn't paste the command, and the worst thing is that the compromised site automatically copies the code to clipboard's user.

---

I've a question here, we know that Atomic macOS Stealer has as one of its functions to replace/tamper with a legitimate ledger live, and if there is the possibility of installing a compromised version of Ledger Live that installs a firmware compromised with Dark Skippy (which extracts the wallet's master seed secret slowly according to the number of signatures needed to complete the full extraction).

Ledger and other wallets like Trezor have firmware verification, where only firmwares signed by the manufacturers can be installed, right?

https://cointelegraph.com/learn/articles/dark-skippy-attack-how-to-protect-against-it

Someone can correct me if I am wrong but this is how I think it works.
A Ledger hardware wallet can only connect to the legitimate Ledger Live app and its servers if it uses official firmware, developed by the company. But since the malware replaces the official software with a fake one, the scammers can probably get rid of that condition. But installing the custom firmware surely still needs user approval. That's a more complicated hack wherein the case with the Atomic macOS Stealer is social engineering add phishing.

Thanks for the heads up. Because there are people that are confident that their macOS won't be affected by a malware.

But with this news, they should also be careful with what they are up to

Just to make sure, upon buying a second-hand laptop or computer, you have to freshly install a new OS on it or reformat it because you'll never know if the former owner of it also has some malware installed there.

Although it doesn't guarantee clean up entirely but that's better than keeping it as is upon purchase of second hand.

Yes, I would wipe the content of storage media on a second-hand laptop and I do that also for brand-new ones (which I normaly don't buy myself) to get rid of bloatware that most manufacturers pre-install. I would also re-flash or flash an update of the laptop's firmware, just for peace of mind and in the hope that nothing nasty sits persistant in the firmware (likely a rare case).

I wipe all partitions, re-partition the storage and install an OS from fresh genuine media files or USB stick created from those. Just in case: save any OS activation details if needed before wiping.

Lol, people actually falls for this trick? Like seriously? What kind of captcha requires these kinds of actions? It’s obvious it’s a malicious scheme. The least they could do is ask you to solve something like a puzzle, match words or something similar, but running certain scripts on Terminal?? WTF! Is this robot verification or am I being questioned by the FBI? (being sarcastic  :))

I feel sorry for those who actually fell for such tricks. It's either the dumbest person in the whole world or some old innocent soul who doesn't know of such scam tactics.

Well, it's obvious for all of us who are familiar with shell commands and who can immediately see what's going on when seeing such a shell command pipe. It's not necessarily obvious for those who aren't familiar with shell commands. I don't think it's useful to call such users dumb (maybe?) or even the dumbest in the whole world. I can imagine much worse actions for the latter.

MacOS is an unixoid system and Apple does a pretty good job to hide this from a normal user. Many MacOS users likely never need to leave the mouse pointer behind and get their hands dirty in the machine room down at the terminal. Is this bad? Not sure.

I would argue, if a user stumbles upon actions or requests on their device (s)he doesn't understand, then it's better to stop, investigate and learn, instead of blindly kicking off actions which in this case are harmful. Stay cautious and vigilant, never accept stuff you haven't seen before, you don't understand why they're required and what consequences they have. Cybercrime is a reality, it will likely only grow, become smarter and more deceptive, harder to spot.

Are you in control of your device or does the device control you, speaking in general?  ;D

This is a good practice that you do and it will certainly clear your doubts on it and if this is what is peace of mind to you, you're doing it great.

Someone can also buy a new HDD or sdd while having that second hand laptop and just follow the procedure that you did. If it's for keeping one's safe and having a peace of mind.

This is better than doing nothing at all.

I said that out of umm how do I put it, frustration I guess. People should at least learn the basics, for example what a terminal is and why is it used, or what a shell is and so on. These things are mandatory knowledge that needs to be known when operating a computer. For a non technical person, someone who doesn't own crypto, someone who only uses the device for casual things, I can understand if they doesn't knows about shell commands. But for users like us, we must acquire these knowledges.

Never used mac, never will be, it's freaking expensive, can't afford a mac.

Was that a question? Didn't understand it! I guess I am in control :)

My last question wasn't directly aimed at you, more like asking the audience.

I can feel your pain. Can't do much about it, except keep the praying wheels spinning, in the metaphorical sense. Some will learn, some will not. And you can't expect from everybody to be IT tech savvy. We (nerds?) sometimes forget this...