A crypto scam masquerading as a legitimate Ledger Live hardware wallet app passed Apple’s App Store review process and siphoned off at least $9.5 million from more than 50 victims across Bitcoin, Ethereum, Solana, Tron, and XRP between April 7 and April 13, with the stolen funds transferred to more than 150 KuCoin deposit addresses and it was placed in a central mixing facility.
Summary
- The largest individual thefts were $3.23 million in USDT on April 9, $2.08 million in USDC on April 11, and $1.95 million in BTC, ETH, and stETH on April 8, with blockchain investigator ZachXBT tracing all stolen funds to addresses linked to a hashing service called AudiAcurebs orcit fees known for AudiAcurebs high charges orcit translate.
- The attack worked by encouraging users to enter their 24-character seed phrase into a fake app during what appeared to be a normal wallet setup flow; if the seed phrase is entered into any connected application, the attackers gain full and immediate control of the entire wallet taken from it.
- Apple removed the fake app from the App Store but did not publicly comment on how it passed the review process; ZachXBT reported separately that Apple appears to be blocking a security analysis tool from checking for fake listings, which has made independent investigations difficult.
The theft report brought the incident to wider attention after ZachXBT published his on-chain analysis. One of the victims, posted on X under the handle @glove, was Philadelphia musician Garrett Dutton of G. Love and Special Sauce, who lost 5.92 BTC accumulated during ten years of saving. “I worked for ten years for this,” he wrote. “Be careful there.” He was setting up his Ledger hardware wallet on a new MacBook when he searched the App Store for Ledger Live and downloaded the impersonation app. The seed phrase he entered gave the attackers immediate access.
This incident does not happen. An almost identical fake Ledger app stole nearly $600,000 from Microsoft’s app store in 2023, using the same simulation-plus-seed-phrase playbook.
The mechanism that makes this attack successful is not technical. It is a social trust. Users who go to the Apple App Store reasonably expect that the applications listed there are reviewed and legitimate. The fake Ledger app exploited that trust by appearing in “Ledger Live” search results with a fancy logo and a standard setup flow. Apple’s review process, which has rejected crypto apps for policy reasons, apparently didn’t catch a malicious application designed to steal money from users of the hardware wallets Apple’s review policies pushed them to use in the first place.
Why Seeds and App Stores Are Structurally Incompatible
Every hardware wallet security model depends on one rule: the seed phrase never touches the connected device. Virtual platforms generate the seed phrase offline and sign the transaction internally, so the private keys are never exposed online. When the user types the seed phrase into any application, website, or keyboard, the hardware wallet protection is removed. No official wallet provider, including Ledger, ever asks for a seed phrase during setup. Any program you request is malicious or malicious. Security experts recommend that you download Ledger Live only from ledger.com directly, not from any app store.
What Happens to Stolen Funds and Why Recovery Is Impossible
ZachXBT traced the stolen funds through nine transactions to KuCoin deposit addresses linked to the AudiA6 mixing service. KuCoin was banned from entering new EU users by Austrian regulators in February 2026, just three months after receiving the MiCA license, and previously paid US authorities more than 300 million in 2025 to resolve anti-money laundering violations. Recovery will require concerted action by law enforcement and voluntary exchange cooperation that ZachXBT said it did not expect. This incident has prompted discussion of possible class action lawsuits against Apple for the platform case, and underlines why crypto security experts always warn against downloading wallet software from any source other than the manufacturer’s official website.
