OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Trust Inversion series· Apr 16, 2026· 4 min read

Fake Ledger App Drained $9.5M From Apple's App Store

A counterfeit version of Ledger Live operated on Apple's Mac App Store from April 7 to April 13, 2026, draining approximately $9.5 million from more than 50 victims before Apple removed it. The attack worked by prompting users to enter their 24-word seed phrase during a fake wallet setup flow. Once entered, attackers immediately reconstructed the wallet on a separate device and drained every account on the seed. Three victims lost over $1 million each. Musician Garrett Dutton, known as G. Love, lost 5.92 BTC — his retirement savings accumulated over a decade — while setting up a new MacBook. The hardware wallet never failed. The seed phrase rule did.

Key takeaways

  1. The fake Ledger Live app operated on Apple's Mac App Store for six days before removal. ZachXBT published on-chain analysis on April 14 tracing $9.5 million in losses across more than 50 victims spanning Bitcoin, Ethereum, Solana, Tron, and XRP networks. The three largest single losses were $3.23 million in USDT (April 9), $2.08 million in USDC (April 11), and $1.95 million in BTC, ETH, and staked ETH (April 8)
  2. The attack vector is seed phrase capture. The fake app presented a standard wallet setup flow and prompted users to enter their 24-word recovery phrase. Once entered, attackers reconstructed the wallet remotely and immediately drained all accounts derived from that seed. There is no partial exposure. A seed phrase entered into any connected application gives the attacker unconditional, permanent control of every wallet on that seed across every chain it supports
  3. Stolen funds were routed through more than 150 KuCoin deposit addresses and into a centralized mixing service called AudiA6. KuCoin paid over $300 million in fines to US authorities in 2025 for AML violations and was barred by Austrian regulators from onboarding new EU users in February 2026, three months after receiving its MiCA license. ZachXBT has suggested the scale of losses may present grounds for a class-action suit against Apple
  4. Ledger distributes Ledger Live for desktop exclusively through ledger.com. There is no legitimate Mac App Store version of Ledger Live. A user searching 'Ledger Live' in the Mac App Store and downloading the top result was interacting with a fake. Apple's review process, which has historically rejected crypto apps on policy grounds, did not catch a malicious application designed to steal funds from hardware wallet users
  5. A separate incident emerged April 17: a Brazilian security researcher purchased a Ledger Nano S Plus from a Chinese e-commerce platform at the official retail price. The device failed Ledger's built-in authenticity verification. Disassembly revealed embedded WiFi and Bluetooth antennas, tampered firmware, and an Espressif Systems chip with markings scratched off. Two independent Ledger attack vectors in one week — one through software distribution, one through hardware supply chain

What Happened

Between April 7 and April 13, 2026, a counterfeit version of Ledger Live operated on Apple's Mac App Store. The app closely imitated Ledger's official branding and setup flow. Users who downloaded it were prompted to enter their 24-word recovery phrase during what appeared to be a standard wallet initialization process. That single step gave attackers immediate, unconditional access to every wallet derived from the seed across every supported blockchain. ZachXBT published on-chain analysis on April 14 identifying more than 50 victims and tracing $9.5 million in losses. Apple removed the app on April 13 following user reports.

Among the confirmed victims is Garrett Dutton, the Philadelphia musician known professionally as G. Love, who disclosed on X that he lost 5.92 BTC — his entire retirement savings accumulated over roughly a decade — after downloading the fake app while migrating his Ledger to a new MacBook. 'I worked ten years for this,' he wrote. 'Be careful out there.' He was doing exactly what Ledger's setup instructions recommend: initializing the hardware wallet with the companion software. He searched for Ledger Live in the App Store, found the fake, and followed its prompts.

Why Seed Phrase Capture Is the Most Effective Attack

A hardware wallet's security model is built on one rule: the seed phrase never touches a connected device. The device generates the phrase offline and uses it to sign transactions internally. Private keys are never exposed to the internet, and no malware on a connected computer can extract them. This architecture defeats clipboard hijacking, man-in-the-middle attacks, and remote access trojans — all the vectors that make software wallets vulnerable.

Seed phrase capture bypasses this entire model through trust inversion. The user believes they are interacting with a protection tool. They are actually handing over the only secret that matters. Once a user types their 24 words into any connected application, the hardware wallet's protections are irrelevant — the attacker has the root key and can reconstruct every wallet the seed generates, on any chain, immediately. The physical device sitting on the desk is now a paperweight. This is not a technical vulnerability in the hardware. It is an attack on the trust model: users reasonably expect that an application in Apple's curated app store is what it claims to be. App-store distribution and brand trust are not security guarantees. A malicious app can survive review long enough to drain millions before removal — and in this case, it did exactly that for six days.

Apple's Review Process and the Distribution Problem

The attack's effectiveness depended entirely on Apple's App Store distribution. A fake website or malicious installer requires the attacker to drive traffic through phishing or social engineering. An app in the official App Store appears in search results alongside legitimate software and inherits the implicit trust of Apple's review process. Users who specifically avoid unofficial download sources to protect themselves were the most likely victims — they were following best practices and still got hit.

Apple's review process has historically been used to restrict crypto applications for policy reasons. The same process failed to catch a malicious application designed specifically to steal funds from crypto holders. Ledger does not distribute a legitimate Mac App Store version of Ledger Live — the official product is desktop software available only through ledger.com. A user searching the App Store had no legitimate result to find. The top result was the fake.

The Hardware Supply Chain Problem — Same Week

On April 17, a Brazilian security researcher published findings on a Ledger Nano S Plus purchased from a Chinese e-commerce platform at the official retail price, with packaging that appeared legitimate. The device failed Ledger's built-in authenticity verification immediately after connecting to the official Ledger Live app. Disassembly revealed embedded WiFi and Bluetooth antennas, tampered firmware, and a chip from Shanghai-listed Espressif Systems with its markings scratched off to obscure the substitution.

Two separate attack vectors against the same product in one week. The App Store fake captures seed phrases from users initializing or recovering wallets through software. The counterfeit hardware device is designed to capture seed phrases at the point of generation — the moment the device creates and displays the recovery phrase for the first time. Both attacks target the same moment of maximum vulnerability: when the user is handling their seed phrase.

What This Means for You

The Ledger Live rule is absolute: download only from ledger.com. Not from any app store, not from any search result, not from any link in an email or social post. The desktop application is available only through the official website. The iOS app exists on the Apple App Store, but it is for mobile, not for Mac. Any Mac App Store result for 'Ledger Live' should be treated as a fake until further notice.

The seed phrase rule is equally absolute: the 24 words should never be entered into any application on any connected device under any circumstances. Not to recover a wallet. Not to verify a backup. Not to complete a setup flow that asks for them. No legitimate process requires you to enter your seed phrase into software. If any application asks for it, that application is either malfunctioning or malicious. On hardware: buy only directly from ledger.com or authorized resellers listed on Ledger's website. Run the authenticity check immediately on any device before initializing a new wallet. A device that fails verification should be discarded, not used. Bitcoin may eventually need quantum-safe migration rules to survive a future protocol-level threat. Most users right now are losing funds because the trust model around the wallet is already broken — not by cryptographers, but by a fake app in a trusted store.

What to Watch

Watch for Apple's response on its review process — specifically whether the company revises its crypto app policies to prevent fake wallet applications from appearing in search results for legitimate product names. Watch ZachXBT's ongoing tracking of the AudiA6 laundering trail and whether KuCoin faces additional regulatory action from the 150+ deposit addresses traced to the theft. And watch whether any coordinated law enforcement action follows — the on-chain trail is clear, the laundering exchange is documented, and ZachXBT has suggested the evidence is sufficient for a class-action suit.

The hardware wallet worked perfectly. The user typed their seed into an app. Those are not the same failure.

Sources

  1. [1]ZachXBT — on-chain analysis and Telegram disclosure, April 14, 2026
  2. [2]CoinDesk — 'A Fake Ledger App on the Apple App Store Just Drained $9.5 Million in Crypto', April 14, 2026
  3. [3]Crypto.news — 'Crypto Scam: Fake Ledger App Steals $9.5 Million', April 14, 2026
  4. [4]CCN — 'Fake Ledger App Alert: $9.5M Stolen From 50+ Victims via Apple App Store, Funds Laundered via KuCoin', April 2026
  5. [5]Garrett Dutton (@glove) — public disclosure on X, April 2026
  6. [6]PANews — counterfeit Ledger hardware disclosure citing Cointelegraph, Brazilian security researcher findings, April 17, 2026
  7. [7]Ledger — Charles Guillemet, CTO, public statement on seed phrase security, April 2026
Trust Inversion series · Part 2 of 11
← Previous part
Your AI Agent's Plumbing Can Steal Your Crypto
Next part →
UNC1069 Is Deepfaking CEOs on Zoom to Drain Crypto Wallets

More in Trust Inversion

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price