A Fake App in the App Store Just Stole $9.5 Million in Crypto
Réka Molnár2 min read·Just now--
Apple’s App Store has long been marketed as the safer alternative — curated, reviewed, trustworthy. So when people search for “Ledger Live” and find it there, they download it without a second thought. That’s exactly what happened here. And it cost more than 50 people a combined $9.5 million.
The fake Ledger Live app sat in the App Store from at least April 7th. By the time Apple pulled it on April 13th, onchain investigator ZachXBT had already traced a trail of losses across Bitcoin, Ethereum, Solana, Tron, and XRP Ledger. Three victims alone lost over $1 million each. One person saw $3.23 million in USDT disappear in a single day, another lost $2 million in USDC two days later. A musician named Garrett Dutton, better known as G. Love, lost his entire $420,000 Bitcoin retirement fund the same way: downloaded the app, entered his seed phrase, gone.
The stolen funds weren’t just sitting in a wallet somewhere. ZachXBT linked them to over 150 KuCoin deposit addresses tied to what he describes as a centralized mixing service called AudiA6, essentially a laundering pipeline designed to make the money disappear into the noise.
Here’s the part that stings: none of this required any sophisticated attack. No exploit, no vulnerability, no zero-day. Just a convincing-looking app in a store people are taught to trust, and the age-old trick of asking for your seed phrase.
Ledger’s CTO Charles Guillemet put it bluntly. The company never asks for your 24-word recovery phrase, ever, for any reason. But he went further than just defending Ledger’s reputation. He said something worth sitting with: “You cannot trust the software environment around you, not your browser, not your app store, not your desktop.” That’s not paranoia. That’s just accurate now.
ZachXBT raised a question that’s uncomfortable for Apple: does this open the door to a class action lawsuit? Apple takes a cut of every app that makes money on its platform and positions its review process as a security guarantee. If a scam app drains millions from users under that umbrella, what’s the liability?
There’s no response from Apple or KuCoin yet.
The practical takeaway is simple and unchanged, even if people keep ignoring it: your seed phrase is the only thing standing between your funds and everyone else. No app, no support team, no “official” platform should ever need it. The moment something asks for it, it’s a scam, no matter how real it looks, no matter where you downloaded it from.
The App Store badge doesn’t mean safe. It just means someone approved it once.
