Clipboard-Hijacking Malware Disguised as Ledger Live Software
Criminals distribute malware packaged as counterfeit Ledger Live installers; once installed, the malware monitors the clipboard and swaps wallet addresses at the moment of pasting, redirecting transfers to attacker addresses.
Part of: Clipboard Hijacker Crypto Scams
Last reviewed: 8 June 2026
Ledger Live is the official companion application for Ledger hardware wallets, used for sending and receiving cryptocurrency and managing assets. Because installing Ledger Live from the correct source (ledger.com/ledger-live) is a well-known first step for Ledger owners, scammers create fake download pages and distribute trojaned installers that look identical to the genuine software.
The counterfeit installers package a clipboard-monitoring program alongside a working copy of Ledger Live, so the victim receives a functional application and has no immediate reason to suspect anything is wrong. The hidden component watches the system clipboard continuously and replaces any cryptocurrency address that passes through it with an address controlled by the attacker.
This attack is especially dangerous for hardware wallet users because they feel safe: they believe their Ledger device protects every transaction. But if the address shown in Ledger Live's send field has already been replaced by the clipboard hijacker before the user pastes it, the hardware wallet will sign a valid transaction sending funds to the attacker — showing the fake address on the device screen, which the user expects and confirms.
How this scam works on the Ledger brand
Victims find the fake installer via a search engine result for 'Ledger Live download' that a sponsored ad places above the genuine Ledger result, or via a phishing email warning that their current version of Ledger Live is 'out of date and vulnerable.' The download page matches ledger.com precisely.
The installed software behaves identically to genuine Ledger Live. When the victim sends cryptocurrency, they copy the recipient's address from an external source (a contact, an exchange deposit page) and paste it into Ledger Live's address field. The clipboard hijacker intercepts the paste event and substitutes the attacker's address. The victim confirms what they believe is the correct address on both the computer screen and the Ledger hardware device, and the transaction is broadcast to the network.
The only reliable defense is to verify the pasted address character-by-character — especially comparing the first four and last four characters — against the original source before confirming on the hardware device.
Common red flags
- Ledger Live installer downloaded from any site other than ledger.com/ledger-live
- Installer file was recommended via email, social media, or a search ad rather than from ledger.com
- Pasted wallet address does not exactly match the address copied from the original source
- Antivirus or Windows Defender flags the installer or a background process started after installation
- Unusual CPU or memory activity after installation of what appeared to be Ledger Live
How to protect yourself
- Download Ledger Live exclusively from ledger.com/ledger-live and verify the installer's SHA-256 hash against the checksum published on that page
- Always manually compare the destination address character by character after pasting — do not assume the clipboard is clean
- Confirm the full address shown on your Ledger device's screen matches the intended recipient before approving the transaction
- Run up-to-date antivirus software with real-time protection to detect clipboard-monitoring behavior
- If you suspect infection, boot from a clean device or OS environment before performing any crypto transactions
How to report it
- Report the malicious download site to Ledger at [email protected]
- Submit the installer file to VirusTotal (virustotal.com) and report findings to your antivirus vendor
- File a complaint with IC3.gov (US) or Action Fraud (UK), providing the download URL and transaction hashes
- Report the phishing domain to Google Safe Browsing and Netcraft
Frequently asked questions
If I have a Ledger hardware wallet, am I protected against clipboard hijacking?
Not automatically. The Ledger hardware wallet will sign whatever address is presented in the transaction — if a clipboard hijacker has replaced the address before it reaches Ledger Live, your device will sign the fraudulent transaction. You must independently verify the destination address before confirming on the device.
How do I verify the integrity of a Ledger Live installer?
Ledger publishes SHA-256 checksums for each installer on ledger.com/ledger-live. After downloading, use your OS's built-in checksum tool (CertUtil on Windows, sha256sum on macOS/Linux) to confirm the downloaded file's hash matches the published value.
What should I do if I already sent funds to the wrong address?
Blockchain transactions to the wrong address cannot be reversed. Secure your device by uninstalling the malware, changing to a clean device, and generating a new wallet seed phrase. Report the transaction to law enforcement with the recipient address and transaction hash.