Fake Ledger Live App in Apple's App Store Used to Steal $9.5M in Crypto

Phishing App Masquerading as Ledger Live Drains $9.5M

A counterfeit version of the Ledger Live wallet app, which somehow cleared Apple's App Store review process, was used to steal at least $9.5 million in cryptocurrency. On-chain investigator ZachXBT uncovered the scheme, which ran from April 7 to April 13 and impacted more than 50 victims across Bitcoin, TRON, Solana, and XRP Ledger networks.

On April 13, one of the most high-profile victims came forward: Garrett Dutton, frontman of the band G. Love, revealed he lost all 5.9 BTC he had accumulated over 10 years — roughly $420,000. Dutton explained that he downloaded the wallet onto a new computer and entered his seed phrase, not realizing the app was fraudulent.

Why This Matters

The incident raises serious questions about the reliability of Apple's app review system. Apple has long marketed its App Store as a curated and secure environment, yet a fake Ledger Live managed to remain available for download for at least a week — enough time for dozens of users to lose significant funds. ZachXBT suggested that Apple could face legal consequences given the scale of damages.

The attack vector was straightforward but devastating: victims launched the fake app, entered their seed phrase, and unknowingly handed full control of their wallets to the attackers.

Where the Stolen Funds Went

ZachXBT traced the stolen assets and found they were moved through a series of transactions to the KuCoin exchange. The investigator noted that more than 150 deposit addresses on the platform were used to launder the proceeds.

"Want to explain to the community why Kucoin allowed a threat actor to launder $9.5M+ tied to a fake Ledger app via 150+ Kucoin deposit addresses over the past week? A few days before that another threat actor laundered $3.5M+ from the Bitcoin Depot incident via 25+ Kucoin…" — ZachXBT (@zachxbt), original post

All of the KuCoin deposit addresses involved in the laundering were linked to AudiA6, a centralized crypto mixer that charges high fees to obscure the origins of funds.

The largest individual losses from the phishing campaign included:

• $3.23 million in USDT;
• $2.08 million in USDC;
• $1.95 million in BTC, ETH, and stETH.

At the time of writing, Apple had removed the fake Ledger Live from the App Store. Ledger did not comment on the incident directly but published a thread reminding users about basic security practices.

"Protecting your digital life starts with staying alert to scams and phishing attempts. As digital ownership grows, fraud is becoming more sophisticated, and more frequent." — Ledger (@Ledger), original post

Phishing Dominates Q1 2026 Loss Statistics

The fake Ledger Live incident fits into a broader pattern. According to security firm Hacken, Web3 projects collectively lost $482 million to hacks and fraud in Q1 2026. Phishing and social engineering attacks were the dominant attack vector, accounting for 44 incidents with combined losses of $306 million.

Hacken's analysts emphasized that the most costly incidents are occurring not at the smart contract level but at the operational and infrastructure layers — areas that traditional audits barely cover. Notable examples from the quarter include:

• $306 million — total phishing-related losses;
• $40 million — Step Finance lost funds after a fake "venture capitalist" call that was actually a North Korean hacker;
• $25 million — Resolv Labs suffered a compromise of its AWS key management service.

Even where smart contracts were at fault, the most expensive bugs often involved legacy deployments and well-known vulnerability classes. Truebit lost $26.4 million due to a bug in a Solidity contract deployed roughly five years ago. Venus Protocol fell victim to a classic oracle price manipulation — a technique documented since 2022.

Notably, audited projects fared no better. Resolv (18 audits) and Venus (five audits) lost a combined $37.7 million, with average losses exceeding those of unaudited protocols. Hacken attributed this to the fact that projects with large TVL attract the most sophisticated attackers.

Earlier in April, Solana-based Drift Protocol lost $280 million in a breach that experts linked to North Korea's Lazarus Group.