Fake Ledger App Steals $9.5M from Apple App Store Users

A malicious version of Ledger Live that appeared on the Apple App Store has been tied to at least $9.5 million in cryptocurrency losses, with more than 50 victims affected across multiple blockchain networks.

The incident came to light after on-chain analysis from blockchain investigator ZachXBT, who traced coordinated thefts between April 7 and April 13. The attacker targeted users who downloaded what appeared to be the official Ledger wallet application but instead interacted with a fraudulent clone.

Apple confirmed that it removed the app and terminated the developer account after identifying the threat. The company described the tactic as a “bait-and-switch strategy,” where an app passes review before later changes introduce malicious behavior.

Victims describe sudden and irreversible losses

Individual accounts reveal the human impact behind the numbers. One victim, Garrett Dutton, a Philadelphia musician known as G. Love, posting under the handle @glove on X, reported the loss of 5.9 BTC, which represented his entire savings.

“I lost my retirement fund in a hack/scam… All my BTC gone in an instant,” he wrote.

He accumulated Bitcoin over a decade. He described the experience in another post.

“I worked ten years for this,” he wrote. “Be careful out there.”

He downloaded the fake app while setting up a new computer. He entered his recovery phrase during the setup process. That action gave attackers immediate access to his wallet.

Attack relied on seed phrase extraction, not technical exploits

The method did not require advanced code vulnerabilities. The attack depended on user trust in official app marketplaces.

The fake app mimicked the design and flow of Ledger’s software. It prompted users to enter their seed phrase, which acts as the master key to a crypto wallet. Once entered, the wallet’s protection failed.

Ledger’s security model depends on keeping the seed phrase offline. The hardware wallet generates it without internet access. Any request to input the phrase into an app signals either a malfunction or a malicious attempt.

Security guidance from wallet providers states that users should download Ledger Live only from the official website. The presence of a Mac App Store version created confusion, as Ledger does not distribute its desktop app through that channel.

Millions drained across multiple chains

The scale of the theft extended beyond a single case. Data shared by ZachXBT showed losses across Bitcoin, Ethereum-compatible networks, Tron, Solana, and XRP Ledger.

Three major incidents accounted for a large portion of the total. One victim lost $3.23 million in USDT on April 9. Another lost $2.08 million in USDC on April 11. A third case involved $1.95 million in BTC, ETH, and staked Ether on April 8.

The attacker moved funds quickly after each compromise. Transactions flowed through a network of wallets before reaching centralized exchange deposit addresses.

Funds routed through exchanges and mixing services

ZachXBT traced the stolen assets through more than 150 deposit addresses linked to KuCoin. The flow connected to a service known as “AudiA6,” which operates as a centralized mixing system that obscures transaction trails.

The use of a centralized exchange drew attention due to KuCoin’s regulatory history. Austrian regulators barred the platform from onboarding new EU users in February 2026. The exchange had also paid over $300 million to US authorities in 2025 to settle anti-money laundering violations.

Recovery of funds remains uncertain. The process would require coordinated action from law enforcement and exchange operators. No confirmation of such recovery efforts has been reported.

App store review process faces renewed scrutiny

The incident raised questions about how the fake app passed Apple’s review process. Apple reported that it removed or rejected more than 17,000 apps in 2024 for bait-and-switch behavior. It also blocked tens of thousands of fraudulent or misleading submissions.

Despite those controls, the Ledger clone remained available long enough to cause significant losses. Reports suggest the app stayed on the store for about two weeks before removal.

Cases of impersonation in app marketplaces are not new. A similar scheme on Microsoft’s app store in 2023 led to approximately $600,000 in crypto theft. Both incidents relied on the same tactic: imitation of trusted wallet software followed by seed phrase capture.

Legal and security implications remain open

The scale of losses and the distribution through an official marketplace have raised the possibility of legal action. ZachXBT noted that the case could support a class-action lawsuit tied to platform responsibility.

The incident highlights a persistent risk in crypto security. Phishing and social engineering attacks continue to target users rather than infrastructure. In 2025, crypto-related scams and hacks resulted in an estimated $17 billion in losses.

For victims, the consequences remain immediate and severe. The stolen assets moved quickly across networks and services. In most cases, recovery does not follow.

How to Use AI for Crypto Trading | HODL FM NEWS

Find out how AI crypto trading works, what tools and strategies like grid and sentiment trading are, and what the risks and benefits are for traders today.

HODL FM News: The Wildest Ride in the Crypto MarketTanya Petrusenko

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.