A crypto rip-off posing because the official Ledger Reside {hardware} pockets app handed Apple’s App Retailer assessment course of and drained no less than $9.5 million from greater than 50 victims throughout Bitcoin, Ethereum, Solana, Tron, and XRP between April 7 and April 13, with stolen funds routed by greater than 150 KuCoin deposit addresses and right into a centralized mixing service.
Abstract
- The three largest particular person thefts had been $3.23 million in USDT on April 9, $2.08 million in USDC on April 11, and $1.95 million in BTC, ETH, and stETH on April 8, with blockchain investigator ZachXBT tracing all stolen funds to deposit addresses linked to a mixing service referred to as AudiA6, recognized for charging excessive charges to obscure illicit transactions.
- The assault labored by prompting customers to enter their 24-word seed phrase into the faux app throughout what gave the impression to be a standard pockets setup stream; as soon as a seed phrase is entered into any linked software, attackers acquire full and instant management of each pockets derived from it.
- Apple has eliminated the faux app from the App Retailer however has not publicly commented on the way it handed the assessment course of; ZachXBT individually reported that Apple seems to be blocking a safety evaluation software from analyzing the fraudulent itemizing, which has sophisticated impartial investigation.
A report on the theft introduced the incident to extensive consideration after ZachXBT revealed his on-chain evaluation. One of many victims, posting on X beneath the deal with @glove, was Philadelphia musician Garrett Dutton of G. Love and Particular Sauce, who misplaced 5.92 BTC collected over a decade of saving. “I worked ten years for this,” he wrote. “Be careful out there.” He was organising his Ledger {hardware} pockets on a brand new MacBook when he searched the App Retailer for Ledger Reside and downloaded the impersonating app. The seed phrase he entered gave attackers instant entry.
The incident isn’t with out precedent. A virtually similar faux Ledger app scheme stole roughly $600,000 by Microsoft’s app retailer in 2023, utilizing the identical impersonation-plus-seed-phrase playbook.
The mechanism that makes this assault efficient isn’t technical sophistication. It’s social belief. Customers going to the Apple App Retailer moderately count on that the apps listed there have been reviewed and are reputable. The faux Ledger app exploited that belief by showing in search outcomes for “Ledger Live” with convincing branding and an ordinary setup stream. Apple’s assessment course of, which has rejected crypto apps for coverage causes, apparently didn’t catch a malicious software designed to steal funds from customers of {hardware} wallets that Apple’s personal assessment insurance policies pushed them towards utilizing within the first place.
Why Seed Phrases and App Shops Are Structurally Incompatible
The {hardware} pockets’s complete safety mannequin rests on one rule: the seed phrase by no means touches a linked machine. The bodily {hardware} generates the seed phrase offline and indicators transactions internally, so personal keys are by no means uncovered to the web. The second a consumer varieties their seed phrase into any app, web site, or keyboard, the {hardware} pockets’s safety is eradicated. No reputable pockets supplier, together with Ledger, ever asks for a seed phrase throughout setup. Any software that requests one is both malfunctioning or malicious. Safety consultants advocate downloading Ledger Reside solely from ledger.com straight, by no means from any app retailer.
What Occurs to Stolen Funds and Why Restoration Is Unlikely
ZachXBT traced the stolen funds by 9 transactions into KuCoin deposit addresses linked to the AudiA6 mixing service. KuCoin has been barred from onboarding new EU customers by Austrian regulators in February 2026, simply three months after receiving a MiCA license, and beforehand paid over $300 million to US authorities in 2025 to settle anti-money laundering violations. Restoration would require coordinated legislation enforcement motion and voluntary change cooperation that ZachXBT mentioned he didn’t count on. The incident has prompted dialogue of potential class-action lawsuits in opposition to Apple for platform legal responsibility, and reinforces why crypto safety consultants persistently warn in opposition to downloading pockets software program from any supply apart from the producer’s official web site.
