Fake Ledger Live App on Apple App Store: $9.5 Million in Crypto Stolen in One Week
Between April 7 and April 13, 2026, a fake Ledger Live application distributed on the Apple App Store stole $9.5 million in cryptocurrencies from over 50 victims across multiple blockchains: Bitcoin, Ethereum, Solana, Tron, and Ripple. This is not an isolated incident but part of a structured campaign that lasted seven days, operating undisturbed until the public attention generated by a notable case accelerated the app's removal from the store. The app was listed under a developer account not linked to Ledger SAS and faithfully replicated the interface of Ledger Live, the official software for managing the company's hardware wallets.
How the Scam Worked
The attack vector was as simple as it was effective: the fake app visually and functionally replicated Ledger Live, tricking users into entering their 24-word seed phrase during a seemingly legitimate setup phase. The problem is that the authentic software never requires entering the recovery phrase on desktop or mobile interfaces, as that operation occurs exclusively on the physical hardware device. Those who followed the instructions of the fake app effectively handed over the keys to their wallets to the attackers. From that moment on, control over the funds is irrevocable: possessing the seed phrase is equivalent to possessing the funds, regardless of the hardware.
The proceeds of the theft were dispersed through over 150 deposit addresses on KuCoin and linked to a centralized mixing service identified as AudiA6, a laundering structure that combines transaction fragmentation with the use of exchange infrastructures to obscure the on-chain trail. The composition of the loot highlights a preference for stablecoins: about $3.23 million in USDT, $2.079 million in USDC, with the rest divided among BTC, ETH, and other assets.
G. Love: The Case That Broke the Silence
"I had a really tough day today I lost my retirement fund in a hack/Scam when I switched my @Ledger over to my new computer and by accident downloaded a malicious ledger app from the @Apple store. All my BTC gone in an instant." – G. Love (@glove) April 11, 2026.
The campaign had been active for days when, on April 11, 2026, American musician Garrett Dutton, known as G. Love of G. Love & Special Sauce, publicly shared his loss on X: 5.92 BTC stolen in seconds, about $424,000, his retirement savings accumulated over nearly a decade. Dutton was migrating his Ledger setup to a new Apple computer and found what seemed to be Ledger Live on the App Store. He entered the seed phrase. The funds disappeared. On-chain researcher ZachXBT traced the movements through nine separate transactions, all converging on KuCoin deposit addresses, matching the same infrastructure used for the other 50+ victims of the campaign.
The Dutton case had a disproportionate media impact relative to its economic magnitude ($424,000 out of $9.5 million total) because it put a public face on a scam that was silently affecting dozens of users. It was the detonator that made it impossible for Apple to further ignore the app's presence on the store. Dutton publicly clarified that the vector was social engineering through the fake app, not a vulnerability of the Ledger hardware device.
The Review Process Under Scrutiny
The fraudulent app was able to remain available on the App Store for seven days before removal, a time frame that allowed the attackers to target over 50 users and accumulate an eight-figure haul. The incident reopened the structural debate about the ability of major app marketplaces to detect fraudulent applications that do not contain explicit malicious code. The scam does not exploit technical exploits: the app's code is functionally clean; the deception lies in the user interface that simulates a legitimate setup flow and requires the input of sensitive credentials. Apple’s automated and manual review systems, which primarily focus on functional security and compliance with policies, cannot detect these types of bypasses.
This is not an isolated case in the history of digital stores. In 2023, a fake Ledger Live app managed to pass through Microsoft Store’s checks, yielding attackers between $600,000 and $768,000 in Bitcoin before removal. Earlier in 2025, the cybersecurity company Moonlock documented macOS-specific malware capable of silently replacing the legitimate installation of Ledger Live with a fake interface. The pattern repeats with minimal variations: app store or filesystem as a distribution vector, capture of the seed phrase, and immediate withdrawal of the funds. Platforms have not resolved the issue at its roots, and the cost continues to grow.
ZachXBT reported on X that Apple seems to disapprove of public documentation of the presence of fake apps on the store, a posture that, combined with the slowness in removing fraudulent listings, has contributed to exacerbating the reactions of the crypto community. Ledger has long reiterated that Ledger Live is distributed exclusively through ledger.com and that any app posing as Ledger Live on any store is to be considered fake by definition.
Possible Legal Consequences
After the dissemination of overall data on the theft, a debate has arisen about the possibility of filing a class action lawsuit against Apple. The central argument is that the Cupertino giant failed to exercise adequate oversight over its platform, allowing an openly fraudulent application to remain available for over a week and affect more than 50 users. Concurrently, regulatory issues emerged regarding the responsibility of digital marketplaces in distributing software that facilitates financial fraud.