Apple's App Store Accidentally Hosts a $9.5M 'Send Your Seeds Here' Festival

A fake Ledger Live app listed on Apple's App Store drained approximately $9.5 million in crypto from more than 50 victims between April 7 and 13. Because apparently Apple's review team was busy that week, and "does this app look suspiciously like a known crypto wallet" wasn't on the checklist.

On-chain investigator ZachXBT traced the stolen funds through over 150 KuCoin deposit addresses allegedly tied to AudiA6, described as a centralized mixing service. The affected networks included Bitcoin, Solana, Tron, XRP Ledger, and Ethereum Virtual Machine-compatible chains. The hacker apparently wanted diversified exposure—or just really believed in the "don't put all your eggs in one basket" strategy when stealing from baskets.

Three seven-figure losses stood out among the reported cases:

• $1.95 million in BTC, stETH, and ETH
• $3.23 million in USDT on April 9
• $2 million in USDC on April 11

These losses make Apple's "I'm sorry, we can't refund you for that" policy seem even more quaint.

Apple removed the counterfeit app on April 13. Both Apple and KuCoin had not responded to Cointelegraph's requests for comment at publication. Shocking, truly. The deafening silence from both companies speaks volumes, mainly "we're hoping this blows over."

ZachXBT noted KuCoin had faced increased scrutiny, including a ban on onboarding new EU users in February shortly after receiving its MiCA license. The "too big to ban" energy was strong, but apparently not strong enough to stop being a preferred deposit destination for phishing scammers.

Ledger CTO Charles Guillemet warned that users should never share their 24-word recovery phrase with any app.

"You cannot trust the software environment around you – not your browser, not your app store, not your desktop," Guillemet said.

Paranoid? Maybe. Accurate? Unfortunately, yes. Your hardware wallet just became the only thing standing between your portfolio and a very expensive life lesson.

The incident followed a smaller case involving musician Garrett "G. Love" Dutton, who lost roughly $420,000 in BTC after downloading a malicious Ledger Live impersonator and entering his seed phrase. Special sauce indeed—just not the kind you want on your crypto.