CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious Ledger Live macOS app on Apple App Store facilitates $9.5M crypto theft via seed phrase harvesting

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A fraudulent Ledger Live macOS application, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ compromised approximately 50 users in early April 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit app tricked users into entering seed phrases, granting attackers full wallet control and enabling fund transfers to attacker-controlled addresses. The incident is part of the broader Apple App Store infiltration campaign dubbed FakeWallet, linked to the SparkKitty operation and active since at least fall 2025. Kaspersky identified 26 malicious apps impersonating major wallets (e.g., Ledger, MetaMask, Coinbase) to steal seed phrases and drain crypto assets, with malware delivered via libraries, injected code, or OCR-based recovery phrase theft. Some apps contained latent malicious features awaiting future activation, and the campaign’s modules lacked regional restrictions despite initial targeting of Chinese-speaking users. Apple began removing malicious apps after Kaspersky’s disclosure, freezing implicated KuCoin accounts until April 20, 2026. New details indicate the apps redirected users to fake App Store-like browser pages to distribute trojanized wallet versions, while some non-crypto apps (e.g., games, calculators) acted as placeholders to direct victims to official wallets under regulatory pretexts. Attackers used OCR modules to capture recovery phrases and employed sophisticated phishing tactics, including code hooking during entry and fake verification prompts, to maximize theft efficiency.

Timeline

  1. 14.04.2026 19:37 4 articles · 10d ago

    Malicious Ledger Live macOS app on Apple App Store leads to $9.5M crypto theft via seed phrase harvesting

    A fraudulent Ledger Live application for macOS, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ was used to trick users into entering seed phrases between April 8 and April 11, 2026. Attackers gained full wallet access, moving stolen assets across multiple networks before laundering via KuCoin-linked addresses tied to the ‘AudiA6’ mixing service. Apple removed the malicious app after user reports; KuCoin froze implicated accounts until April 20, 2026, with extension possible via law enforcement requests. The incident is now framed as part of a broader Apple App Store infiltration campaign (FakeWallet) linked to the SparkKitty operation, which deployed 26 malicious apps impersonating major wallets to steal seed phrases and drain cryptocurrency assets. Victims were lured via typosquatting, fake branding, and regional bypass tactics (e.g., disguising apps as games or calculators), with malware intercepting mnemonics via iOS provisioning profiles or phishing prompts. Malicious features in some apps were ‘waiting to be toggled on’ in future updates, and malware was delivered via libraries or injected directly into wallet source code. The campaign’s modules lacked regional restrictions despite initial focus on Chinese-speaking users, and a fake Ledger website hosted links to malicious apps alongside compromised Android wallet apps distributed via Chinese-language phishing pages. This update adds that the apps redirected users to fake App Store-like browser pages to distribute trojanized wallet versions, while some non-crypto apps (e.g., games, calculators) served as placeholders directing users to official wallets under false regulatory pretexts. Attackers used OCR modules to capture recovery phrases and employed sophisticated phishing tactics, including code hooking during entry and fake verification prompts, to maximize theft efficiency. Malware was delivered via malicious library injection or source-code modification, with payloads tailored to specific wallet targets.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Six Android Malware Families Target Pix, Banking Apps, and Crypto Wallets

Six Android malware families continue to target Pix payments, banking apps, and cryptocurrency wallets, with Mirax expanding its capabilities beyond financial theft. The Mirax trojan now integrates residential proxy functionality, enabling attackers to route malicious traffic through compromised devices and evade geographic restrictions. Mirax, previously identified as a banking trojan offered through a malware-as-a-service ecosystem, now operates under a restricted MaaS model targeting Spanish-speaking users with campaigns exceeding 200,000 accounts via social media advertisements. It provides full real-time device control, dynamic fake overlays fetched from C2 servers, and surveillance features including keylogging and lock screen detail collection. Distribution relies on social engineering via illegal streaming app promotions, with malware hosted on GitHub and device evasion techniques. Compromised devices are repurposed as residential proxies for broader cybercriminal activities, including account takeovers and anonymized network attacks.

Open in new tab

ZeroDayRAT Malware Targets Android and iOS Devices

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Open in new tab

New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Target Financial and Cryptocurrency Data

Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, with the latest iteration leveraging Solana dead drops for C2, a novel browser extension for surveillance, and a shift into the Model Context Protocol (MCP) ecosystem. The campaign now delivers a .NET binary that targets Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data, executes arbitrary code, and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline to perform session surveillance on cryptocurrency platforms like Bybit and harvest extensive browser data. Additionally, threat actors have begun distributing malicious payloads via npm packages impersonating the WaterCrawl MCP server, marking GlassWorm’s first confirmed incursion into the AI-assisted development ecosystem. Recent innovations in the GlassWorm campaign include the introduction of a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker', which masquerades as WakaTime. This dropper installs platform-specific Node.js native addons compiled from Zig code that execute outside the JavaScript sandbox with full OS-level access, enabling the threat actor to stealthily infect all IDEs on a developer's machine—including VS Code, VSCodium, Positron, Cursor, and Windsurf. The dropper then downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs. The second-stage extension avoids execution on Russian systems, communicates with the Solana blockchain for C2, exfiltrates data, and deploys an information-stealing RAT that ultimately installs a malicious Google Chrome extension. Users who installed the malicious extensions should assume compromise and rotate all secrets immediately. The GlassWorm campaign remains a persistent supply chain threat impacting multiple ecosystems including npm, PyPI, GitHub, and Open VSX. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. The Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new large-scale social engineering campaign has emerged, using fake VS Code security alerts posted in GitHub Discussions to distribute malware. The campaign automates posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links in these posts redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers as part of the broader GlassWorm malware campaign.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Open in new tab