A counterfeit Ledger Live application bypassed Apple's review process, stole seed phrases from more than 50 victims across five blockchains, and funnelled the proceeds through KuCoin deposit addresses before being removed.
A counterfeit version of Ledger Live — the companion software for the popular hardware wallet — spent at least a week on Apple's Mac App Store before being removed, during which time it stole an estimated $9.5 million in cryptocurrency from more than 50 victims across five blockchains.
The fake application, which mimicked the real Ledger Live's interface closely enough to fool experienced users, prompted people to enter their 24-word recovery phrases during setup. That single input was enough to hand attackers complete control of every wallet tied to the seed. Funds were drained from Bitcoin, Ethereum, Solana, Tron and XRP accounts; the total — compiled by on-chain investigator ZachXBT — places this among the most damaging App Store-distributed scams in crypto's history.
The highest-profile victim was Garrett Dutton, the musician known as G. Love, who lost 5.92 BTC — roughly $424,000 at current prices and the entirety of his bitcoin savings accumulated over a decade. Dutton said he had been transferring his Ledger setup to a new computer and searched Apple's store for the official app. What he downloaded instead was a near-perfect replica. "That was my retirement," he wrote on X, in a post that drew thousands of responses and brought the scam into public view.
ZachXBT traced the stolen funds through a chain of intermediary wallets to deposit addresses linked to KuCoin, the Singapore-headquartered exchange whose European arm lost its MiCA licence in February after Austria's financial regulator found it had failed to maintain basic anti-money-laundering staff. ZachXBT expressed little optimism about recovery, noting that KuCoin's compliance track record gave him no confidence the exchange would freeze the accounts in time. The funds were also linked to a centralised laundering service known as AudiA6, which has appeared in previous phishing investigations.
Apple removed the fraudulent app after reports surfaced, but the episode raises uncomfortable questions about the App Store review process — a system Apple has long cited as a key security advantage over more open platforms. Hardware wallet users are a niche audience, and the legitimate Ledger Live application already exists on the store; how a clone requesting seed phrases cleared Apple's review team without triggering a rejection is a question the company hasn't publicly answered.
Ledger itself has repeatedly warned that it will never ask users for their recovery phrase, a message printed on the hardware, displayed during setup, and pinned to its social media accounts. The company's security documentation explicitly states that seed phrases should never be entered into any software application — only typed directly into the physical device's screen. Yet the social engineering worked because the fake app presented itself as the official tool, and users setting up or restoring a wallet expected to interact with software on their computer.
The broader pattern is familiar. Crypto phishing has evolved from crude email campaigns into sophisticated attacks that exploit trusted distribution channels. Earlier this year, Operation Atlantic froze $12 million in stolen crypto and identified 20,000 approval-phishing victims across 30 countries — a reminder that the scale of these campaigns is growing, not shrinking. The Ledger clone attack is different in kind, though: it didn't rely on a malicious link or a deceptive email. It sat inside the walled garden of Apple's own marketplace, wearing the face of a company users had already chosen to trust with their savings.
Beau, the head of security at Pudgy Penguins, issued a warning following the reports, cautioning crypto holders against entering seed phrases on any internet-connected device and noting that scammers distribute fake wallet applications through email, ads and — as this case demonstrates — legitimate app stores.
The $9.5 million figure may yet climb. ZachXBT noted that not all victims had come forward by the time Apple pulled the application. For now, Ledger remains the market's dominant hardware wallet brand, with millions of devices in circulation. The trust deficit created by this incident belongs not to Ledger — which did nothing wrong — but to Apple, whose review process failed the people it was designed to protect.
