A crypto scam posing as the official Ledger Live hardware wallet app passed Apple’s App Store review process and drained at least $9.5 million from more than 50 victims across Bitcoin, Ethereum, Solana, Tron, and XRP between April 7 and April 13, with stolen funds routed through more than 150 KuCoin deposit addresses and into a centralized mixing service.
Summary
- The three largest individual thefts were $3.23 million in USDT on April 9, $2.08 million in USDC on April 11, and $1.95 million in BTC, ETH, and stETH on April 8, with blockchain investigator ZachXBT tracing all stolen funds to deposit addresses linked to a mixing service called AudiA6, known for charging high fees to obscure illicit transactions.
- The attack worked by prompting users to enter their 24-word seed phrase into the fake app during what appeared to be a normal wallet setup flow; once a seed phrase is entered into any connected application, attackers gain full and immediate control of every wallet derived from it.
- Apple has removed the fake app from the App Store but has not publicly commented on how it passed the review process; ZachXBT separately reported that Apple appears to be blocking a security analysis tool from examining the fraudulent listing, which has complicated independent investigation.
A report on the theft brought the incident to wide attention after ZachXBT published his on-chain analysis. One of the victims, posting on X under the handle @glove, was Philadelphia musician Garrett Dutton of G. Love and Special Sauce, who lost 5.92 BTC accumulated over a decade of saving. “I worked ten years for this,” he wrote. “Be careful out there.” He was setting up his Ledger hardware wallet on a new MacBook when he searched the App Store for Ledger Live and downloaded the impersonating app. The seed phrase he entered gave attackers immediate access.
The incident is not without precedent. A nearly identical fake Ledger app scheme stole approximately $600,000 through Microsoft’s app store in 2023, using the same impersonation-plus-seed-phrase playbook.
The mechanism that makes this attack effective is not technical sophistication. It is social trust. Users going to the Apple App Store reasonably expect that the apps listed there have been reviewed and are legitimate. The fake Ledger app exploited that trust by appearing in search results for “Ledger Live” with convincing branding and a standard setup flow. Apple’s review process, which has rejected crypto apps for policy reasons, apparently did not catch a malicious application designed to steal funds from users of hardware wallets that Apple’s own review policies pushed them toward using in the first place.
Why Seed Phrases and App Stores Are Structurally Incompatible
The hardware wallet’s entire security model rests on one rule: the seed phrase never touches a connected device. The physical hardware generates the seed phrase offline and signs transactions internally, so private keys are never exposed to the internet. The moment a user types their seed phrase into any app, website, or keyboard, the hardware wallet’s protection is eliminated. No legitimate wallet provider, including Ledger, ever asks for a seed phrase during setup. Any application that requests one is either malfunctioning or malicious. Security experts recommend downloading Ledger Live only from ledger.com directly, never from any app store.
What Happens to Stolen Funds and Why Recovery Is Unlikely
ZachXBT traced the stolen funds through nine transactions into KuCoin deposit addresses linked to the AudiA6 mixing service. KuCoin has been barred from onboarding new EU users by Austrian regulators in February 2026, just three months after receiving a MiCA license, and previously paid over $300 million to US authorities in 2025 to settle anti-money laundering violations. Recovery would require coordinated law enforcement action and voluntary exchange cooperation that ZachXBT said he did not expect. The incident has prompted discussion of potential class-action lawsuits against Apple for platform liability, and reinforces why crypto security experts consistently warn against downloading wallet software from any source other than the manufacturer’s official website.
