Key Takeaways

• A malicious app masquerading as “Ledger Live” on the Apple App Store successfully stole $9.5 million from over 50 victims.

• Stolen assets were routed through over 150 deposit addresses linked to a centralized mixing service to evade detection.

• The incident has sparked intense debate over the security of “official” app stores and whether Apple bears responsibility for the theft.

Security in the digital asset space is often only as strong as the user’s interface, a fact tragically illustrated by a recent wave of thefts on the Apple App Store. Even the pros get caught sometimes. On-chain sleuth ZachXBT just flagged a massive scam involving a fake ‘Ledger Live’ app that actually slipped past Apple’s App Store filters.

https://t.me/investigations/313

In just one week this April, the app managed to drain about $9.5 million from over 50 people. It didn’t matter if victims were holding Bitcoin, Solana, or Ethereum—the hackers hit everyone. It’s a loud reminder that even ‘official’ app stores can harbor dangerous traps.

Ledger warns to never to enter seed phrase

The root of the vulnerability was a classic social engineering tactic: the app prompted users to enter their 24-word recovery phrase. Ledger’s Chief Technology Officer, Charles Guillemet, issued a blistering reminder that the company’s official software will never ask for a seed phrase. He emphasized that users must adopt a “zero trust” mindset regarding their digital environment.

Think the App Store is a total safe haven? Think again. Even official platforms get hit by scammers looking for an opening. It’s the same trap that caught musician Garrett Dutton off guard—he lost a staggering $420,000 just by trusting an app that looked like the real deal but was actually a malicious clone.

The scale of the theft suggests a highly organized criminal operation. ZachXBT’s findings indicate that the stolen funds were laundered through a KuCoin-linked mixing service, utilizing hundreds of different deposit addresses to break the on-chain trail. While KuCoin has stated it is reviewing the matter and monitoring for suspicious activity, the incident has left many questioning the effectiveness of modern anti-money laundering (AML) protocols.

More importantly, it has raised significant legal questions about Apple’s liability. If a trillion-dollar tech giant permits a fraudulent app to remain listed for nearly a week while it drains millions from users, the grounds for a class-action lawsuit become increasingly plausible.

Final Thoughts

This $9.5 million drain is a sobering reminder that “official” does not always mean “safe.” Hardware wallets are only effective if the human using them keeps their recovery phrase entirely offline and away from any digital interface.

Frequently Asked Questions

How did the fake Ledger app get on the App Store?
While the exact bypass method is unknown, attackers often use “bait and switch” updates to hide malicious code during the initial review process.

Does Ledger ever ask for a seed phrase?
No. You should only ever enter your 24-word recovery phrase directly into your physical Ledger device.

Can I recover my funds if I was scammed?
Recovery is extremely difficult once funds are mixed. Contacting law enforcement and the destination exchange (like KuCoin) immediately is essential.