A fake version of the Ledger Live cryptocurrency app passed Apple’s App Store review process, stayed live for nearly a week, and drained $9.5 million from more than 50 victims before Apple removed it on April 13.
Blockchain investigator ZachXBT traced the thefts on April 14 and published his findings on Telegram, identifying victims across Bitcoin, Ethereum-compatible networks, Tron, Solana, and Ripple.
The attack operated on a simple but devastating mechanic. The fraudulent app prompted users to enter their 24-word seed phrase under the guise of wallet restoration or device syncing. Once entered, attackers gained immediate and permanent access to every wallet tied to that phrase. They then reconstructed the victims’ wallets on their own devices and emptied them across multiple blockchains simultaneously. The real Ledger Live app, which Ledger distributes through its own website rather than the Mac App Store, never asks users to enter a seed phrase under any circumstances.
Ledger’s Chief Technology Officer addressed the incident directly, warning that no legitimate hardware wallet provider would ever request recovery phrases.
“If anyone, or any app, is asking for your 24 words, assume something is wrong,” he said.
He added that software environments including browsers and app stores are not trustworthy for private key management, and that the only legitimate use of a seed phrase is restoring access to a wallet on a device the user physically owns and controls.
Three victims lost seven-figure sums. The largest single theft was $3.23 million in USDT on April 9. A second victim lost $2.08 million in USDC on April 11. A third lost $1.95 million on April 8 across 20.64 Bitcoin, 211 staked Ether, and 70 Ether.
Among other victims was American musician Garrett Dutton, known as G. Love, who lost approximately 5.9 Bitcoin worth around $420,000 after downloading the app while setting up a new computer. He described the funds as ten years of savings intended for retirement.
“I worked ten years for this,” he wrote. “Be careful out there.”
The fake app was submitted under the publisher name “Leva Heal Limited,” an account unconnected to Ledger’s real development team. The attackers also created a fabricated version history, releasing fake major updates every few days to go from version 1.0 to 5.0 within two weeks, lending the app an appearance of active development and legitimacy.
ZachXBT traced all stolen funds through more than 150 deposit addresses on a major crypto exchange, linked to a centralized mixing service called AudiA6 that charges high fees to obscure the origin of illicit funds. The exchange involved froze the accounts linked to the scheme, however the freeze was set to expire on April 20.
The exchange has faced significant regulatory pressure in recent months, including a ban by Austrian regulators on onboarding new European Union users in February 2026 and a $300 million fine paid to US authorities in January 2025 to settle anti-money laundering violations.
ZachXBT also noted a separate theft of approximately $3.7 million from Bitcoin Depot in the days before the Ledger campaign, with those funds also traced to the same exchange. Apple has not responded to media requests for comment. ZachXBT suggested the scale of losses and Apple’s role in distributing the fraudulent app may form the basis of a class-action lawsuit against the company.
This is not the first time a malicious crypto app has slipped through Apple’s review process, but the $9.5 million total makes it one of the most costly App Store fraud incidents on record.
