Apple's Garden Wall Crumbles: Fake Ledger Live App Drains $9.5M From 50+ Victims

Well, folks, it happened again. Apple's supposedly ironclad App Store just hosted a fake Ledger Live app that drained approximately $9.5 million in crypto from more than 50 suspected victims between April 7 and 13, according to onchain investigator ZachXBT. The orchard has been picked clean, and Tim Cook isn't answering calls.

In a Tuesday Telegram post, ZachXBT laid out the carnage: users across Bitcoin, Solana, Tron, XRP Ledger and Ethereum Virtual Machine (EVM)-compatible networks all got rekt. The stolen funds were allegedly washed through over 150 KuCoin deposit addresses tied to AudiA6, which he described as a centralized mixing service. Nothing says "clean crypto" quite like funneling your ill-gotten gains through a known mixer on a major exchange. Bold strategy, cotton.

Apple finally pulled the fake app on April 13—because nothing says "proactive security" like waiting until the damage is done. ZachXBT identified three seven-figure losses among the largest known cases: one poor degen lost about $1.95 million in Bitcoin (BTC), staked Ether (stETH) and Ether (ETH); another got absolutely rinsed for $3.23 million in USDt (USDT) on April 9; and a third victim lost roughly $2 million in USDC (USDC) on April 11. That's not a hack, that's a heist with a capital H.

ZachXBT also pointed out that KuCoin has been seeing more illicit activity than a dodgy laundry mat lately, and reminded everyone that the exchange was banned from onboarding new European Union users in February—shortly after receiving its Markets in Crypto Assets Regulation (MiCA) license. Nothing says "regulatory compliance" like getting banned from the very market you just got licensed in. He also wondered aloud whether this whole mess might present grounds for a class action against Apple. Dream big, Zach.

Ledger chief technology officer Charles Guillemet weighed in with a statement that basically amounts to "we told you so, but also, sorry for your loss." He reminded everyone that Ledger will never, ever ask users for their 24-word recovery phrase and warned that official-looking software environments should not be treated as inherently safe. "You cannot trust the software environment around you – not your browser, not your app store, not your desktop," Guillemet said, adding that attackers "operate wherever the opportunity exists," including official distribution platforms. In other words: trust no one, verify everything, and maybe stop entering your seed phrase into random apps like it's a contest.

The latest incident follows a similar case reported on Monday that has everyone in the space feeling some type of way. Musician Garrett Dutton, also known as "G. Love," said he lost about $420,000 in BTC after downloading a malicious app impersonating Ledger Live from Apple's App Store and entering his seed phrase. Yes, he entered his seed phrase. Yes, it's tragic. Yes, we need to have a conversation about seed phrase security. ZachXBT noted the stolen assets were sent to deposit addresses associated with KuCoin, because of course they were.

Key details, including the total losses, victim count and laundering route, remain based on ZachXBT's findings and had not been confirmed by Apple or KuCoin at publication. So take this all with a grain of salt, do your own research, and for the love of all that is holy, never enter your seed phrase into anything that asks for it. Not even if it looks official. Not even if it has a nice UI. Definitely not if it promises you free money.