A crypto scam disguised as the official Ledger Live hardware wallet app passed Apple’s App Store review process and drained at least $9.5 million from over 50 victims in Bitcoin, Ethereum, Solana, Tron, and XRP between April 7 and April 13, with the stolen funds sent to a centralized commingling service via over 150 KuCoin deposit addresses.
summary
The three major personal thefts included $3.23 million in USDT on April 9th, $2.08 million in USDC on April 11th, and $1.95 million in BTC, ETH, and stETH on April 8th. Blockchain investigator ZachXBT traced all of the stolen funds and said they were deposited in addresses linked to a mixing service called AudiA6, which is known for charging high fees to conceal fraudulent transactions. The attack worked by prompting users to enter a 24-word seed phrase into the fake app during what appeared to be a normal wallet setup flow. Once a seed phrase is entered into a connected application, an attacker has complete and immediate control over all wallets derived from it. Apple has removed the fake app from the App Store, but has not publicly commented on how it passed the review process. ZachXBT separately reported that Apple appears to be blocking security analysis tools from investigating the fraud list, complicating independent investigations.
After ZachXBT published on-chain analysis, a report on the theft brought widespread attention to the incident. One of the victims, who posted on “I worked for this for 10 years,” he wrote. “Be careful out there.” While he was setting up a Ledger hardware wallet on his new MacBook, he searched for Ledger Live in the App Store and downloaded the spoofing app. The seed phrase he entered gave the attacker instant access.
This case is not without precedent. In 2023, a nearly identical fake Ledger app scheme used the same impersonation and seed phrase playbook to steal approximately $600,000 through Microsoft’s app store.
The mechanism that makes this attack effective is not sophisticated. It’s social trust. Users accessing the Apple App Store have a reasonable expectation that the apps listed there are vetted and genuine. The fake Ledger app exploited that trust by showing up in search results for “Ledger Live” with convincing branding and a standard setup flow. Apple’s review process, which has rejected crypto apps for policy reasons, appears to have failed to catch malicious applications aimed at stealing funds from users of hardware wallets that Apple’s own review policies encouraged users to use in the first place.
Why seed phrases and the App Store are structurally incompatible
The entire security model of a hardware wallet is based on one rule: the seed phrase never touches the connected device. The physical hardware generates the seed phrase offline and signs the transaction internally, so the private key is never exposed to the internet. The moment a user types a seed phrase into an app, website, or keyboard, the hardware wallet is no longer protected. Legitimate wallet providers, including Ledger, will never ask for a seed phrase during setup. Applications that request this are malfunctioning or malicious. Security experts recommend that you only download Ledger Live directly from ledger.com and never from the app store.
What happens to stolen funds and why recovery is unlikely?
ZachXBT traced the stolen funds through nine transactions to a KuCoin deposit address linked to the AudiA6 mixing service. KuCoin was banned from onboarding new users in the EU by Austrian regulators in February 2026, just three months after receiving its MiCA license, and had previously paid more than $300 million to US authorities in 2025 to settle anti-money laundering violations. Recovery will require coordinated action and voluntary cooperation from law enforcement, but ZachXBT said he doesn’t expect that. The incident sparked discussion about a possible class action lawsuit against Apple over platform liability and confirms why cryptocurrency security experts consistently warn against downloading wallet software from sources other than the manufacturer’s official website.
