What Happened
Between April 7 and April 13, 2026, a counterfeit version of Ledger Live operated on Apple's Mac App Store. The app closely imitated Ledger's official branding and setup flow. Users who downloaded it were prompted to enter their 24-word recovery phrase during what appeared to be a standard wallet initialization process. That single step gave attackers immediate, unconditional access to every wallet derived from the seed across every supported blockchain. ZachXBT published on-chain analysis on April 14 identifying more than 50 victims and tracing $9.5 million in losses. Apple removed the app on April 13 following user reports.
Among the confirmed victims is Garrett Dutton, the Philadelphia musician known professionally as G. Love, who disclosed on X that he lost 5.92 BTC — his entire retirement savings accumulated over roughly a decade — after downloading the fake app while migrating his Ledger to a new MacBook. 'I worked ten years for this,' he wrote. 'Be careful out there.' He was doing exactly what Ledger's setup instructions recommend: initializing the hardware wallet with the companion software. He searched for Ledger Live in the App Store, found the fake, and followed its prompts.
Why Seed Phrase Capture Is the Most Effective Attack
A hardware wallet's security model is built on one rule: the seed phrase never touches a connected device. The device generates the phrase offline and uses it to sign transactions internally. Private keys are never exposed to the internet, and no malware on a connected computer can extract them. This architecture defeats clipboard hijacking, man-in-the-middle attacks, and remote access trojans — all the vectors that make software wallets vulnerable.
Seed phrase capture bypasses this entire model through trust inversion. The user believes they are interacting with a protection tool. They are actually handing over the only secret that matters. Once a user types their 24 words into any connected application, the hardware wallet's protections are irrelevant — the attacker has the root key and can reconstruct every wallet the seed generates, on any chain, immediately. The physical device sitting on the desk is now a paperweight. This is not a technical vulnerability in the hardware. It is an attack on the trust model: users reasonably expect that an application in Apple's curated app store is what it claims to be. App-store distribution and brand trust are not security guarantees. A malicious app can survive review long enough to drain millions before removal — and in this case, it did exactly that for six days.
Apple's Review Process and the Distribution Problem
The attack's effectiveness depended entirely on Apple's App Store distribution. A fake website or malicious installer requires the attacker to drive traffic through phishing or social engineering. An app in the official App Store appears in search results alongside legitimate software and inherits the implicit trust of Apple's review process. Users who specifically avoid unofficial download sources to protect themselves were the most likely victims — they were following best practices and still got hit.
Apple's review process has historically been used to restrict crypto applications for policy reasons. The same process failed to catch a malicious application designed specifically to steal funds from crypto holders. Ledger does not distribute a legitimate Mac App Store version of Ledger Live — the official product is desktop software available only through ledger.com. A user searching the App Store had no legitimate result to find. The top result was the fake.
The Hardware Supply Chain Problem — Same Week
On April 17, a Brazilian security researcher published findings on a Ledger Nano S Plus purchased from a Chinese e-commerce platform at the official retail price, with packaging that appeared legitimate. The device failed Ledger's built-in authenticity verification immediately after connecting to the official Ledger Live app. Disassembly revealed embedded WiFi and Bluetooth antennas, tampered firmware, and a chip from Shanghai-listed Espressif Systems with its markings scratched off to obscure the substitution.
Two separate attack vectors against the same product in one week. The App Store fake captures seed phrases from users initializing or recovering wallets through software. The counterfeit hardware device is designed to capture seed phrases at the point of generation — the moment the device creates and displays the recovery phrase for the first time. Both attacks target the same moment of maximum vulnerability: when the user is handling their seed phrase.
What This Means for You
The Ledger Live rule is absolute: download only from ledger.com. Not from any app store, not from any search result, not from any link in an email or social post. The desktop application is available only through the official website. The iOS app exists on the Apple App Store, but it is for mobile, not for Mac. Any Mac App Store result for 'Ledger Live' should be treated as a fake until further notice.
The seed phrase rule is equally absolute: the 24 words should never be entered into any application on any connected device under any circumstances. Not to recover a wallet. Not to verify a backup. Not to complete a setup flow that asks for them. No legitimate process requires you to enter your seed phrase into software. If any application asks for it, that application is either malfunctioning or malicious. On hardware: buy only directly from ledger.com or authorized resellers listed on Ledger's website. Run the authenticity check immediately on any device before initializing a new wallet. A device that fails verification should be discarded, not used. Bitcoin may eventually need quantum-safe migration rules to survive a future protocol-level threat. Most users right now are losing funds because the trust model around the wallet is already broken — not by cryptographers, but by a fake app in a trusted store.
What to Watch
Watch for Apple's response on its review process — specifically whether the company revises its crypto app policies to prevent fake wallet applications from appearing in search results for legitimate product names. Watch ZachXBT's ongoing tracking of the AudiA6 laundering trail and whether KuCoin faces additional regulatory action from the 150+ deposit addresses traced to the theft. And watch whether any coordinated law enforcement action follows — the on-chain trail is clear, the laundering exchange is documented, and ZachXBT has suggested the evidence is sufficient for a class-action suit.