A fake Ledger Live app that passed Apple’s App Store review process stole at least $9.5 million from more than 50 crypto users in a single week, according to on-chain investigators.
What happened
- Between April 7 and April 13, victims across Bitcoin, Ethereum, Solana, Tron and XRP lost funds after downloading an impersonating “Ledger Live” app from Apple’s App Store.
- Stolen funds were routed through over 150 KuCoin deposit addresses and into a centralized mixing service (traced in part to the AudiA6 mixer), according to chain analysis published by researcher ZachXBT.
- At least one public victim was Philadelphia musician Garrett Dutton (known as G. Love), who posted that he lost 5.92 BTC he had accumulated over a decade after entering his seed phrase into the fake app while setting up a Ledger on a new MacBook. “I worked ten years for this,” he wrote. “Be careful out there.”
How the scam worked
- The fake app mimicked Ledger’s branding and setup flow and appeared in App Store search results for “Ledger Live.” When users typed in their seed phrase — the one secret that controls access to their hardware wallet — attackers gained immediate control of the funds.
- This attack relies on social trust, not cryptographic sophistication: many users reasonably expect that apps in Apple’s App Store have been vetted, and the malicious app exploited that assumption.
- The core security rule for hardware wallets is simple and absolute: the seed phrase must never be entered into a computer, phone, website, or third‑party app. Legitimate wallet providers (including Ledger) never request the seed during setup.
Context and precedent
- A nearly identical scam using the same impersonation-plus-seed-phrase method hit Microsoft’s app store in 2023, stealing about $600,000.
- Apple’s review process failed to catch this malicious listing even as Apple has historically enforced restrictive policies on some crypto apps — a tension that critics say can push users toward hardware wallets while still leaving them vulnerable to copycat software.
Tracing and recovery prospects
- ZachXBT’s analysis traced multiple transactions into KuCoin deposit addresses and onward to a centralized mixing service. He expressed skepticism that voluntary exchange cooperation or tracing alone will recover funds without coordinated law enforcement action.
- KuCoin’s regulatory history was noted in the report: the exchange paid over $300 million to U.S. authorities in 2025 to resolve AML-related enforcement, and in February 2026 Austrian regulators barred KuCoin from onboarding new EU users shortly after it obtained a MiCA license.
Legal and community fallout
- The incident has renewed discussion about platform liability and prompted talk of potential class-action litigation against Apple for allowing a fraudulent crypto wallet app onto its store. Crypto security experts are also using the episode to re-emphasize best practices.
Practical advice for users
- Never enter your seed phrase into any app, website, or keyboard extension. If an app asks for it, treat it as malicious.
- Download Ledger Live and other wallet software only from the manufacturer’s official website (e.g., ledger.com) and verify URLs and digital signatures where possible.
- Use the hardware wallet’s built-in verification screens and enable additional protections like passphrases.
- If you believe you’ve been scammed, immediately gather transaction IDs, contact any exchanges involved, and file reports with local law enforcement and crypto‑fraud reporting channels.
This attack is a sharp reminder that user behavior and platform trust are often the weakest links in crypto security. The simplest rule — never reveal your seed phrase — still protects more value than any technical innovation.
Read more AI-generated news on: undefined/news
