“Anti-Ledger” malware: The battle for Ledger Live seed phrases moonlock.com/anti-ledg…

Hackers are increasingly exploiting the trust that crypto owners place in cold wallets, turning the very tools meant to secure assets into attack surfaces. The recent ByBit heist has shaken the crypto industry and is unlikely to be the last. However, more low-profile heists are already underway.

Since August 2024, Moonlock Lab has been tracking a malware campaign distributing a malicious clone of Ledger Live — a widely used app for managing crypto through Ledger cold wallets. Initially, attackers could use the clone to steal passwords, notes, and wallet details to get a glimpse of the wallet’s assets, but they had no way to extract the funds. Now, within a year, they have learned to steal seed phrases and empty the wallets of their victims.

Below, we share the details of the new malicious techniques. We also break down 4 active malware campaigns that use them to go after Ledger Live, putting millions of crypto owners at risk.