Fake Ledger Live on App Store Drains $9.5M in One Week

A counterfeit version of Ledger Live published on Apple's Mac App Store stole at least $9.5 million in cryptocurrency from more than 50 victims between April 7 and April 13, 2026. The malicious app, published under the developer name "Leva Heal Limited," remained available for roughly two weeks before Apple removed it following community outcry.

Blockchain investigator ZachXBT exposed the scheme after tracing stolen assets across Bitcoin, Ethereum, Solana, Tron, and XRP networks. The scale of losses—combined with the app's presence on Apple's official marketplace—raises pointed questions about how fraudulent crypto software continues to slip through app store review processes.

How the Scam Worked

The attack followed a straightforward but devastating playbook. Victims searching for "Ledger" on the Mac App Store found the fraudulent listing, which visually mimicked the legitimate Ledger Live interface. After downloading what they believed was official software, users were prompted to enter their 24-word recovery phrase—the master key to their entire crypto portfolio.

Once victims entered their seed phrases, an automated draining mechanism swept funds from connected wallets within minutes. The speed and coordination of the thefts suggests a well-organized operation running backend infrastructure to monitor compromised seeds and execute transfers in real time.

This isn't the first time fake wallet apps have exploited trust in official app stores. Earlier this year, SparkCat malware infiltrated both the Apple App Store and Google Play, using OCR technology to extract seed phrases from screenshots stored on victims' devices.

The Largest Losses

Three victims lost seven-figure sums during the week-long operation:

• $3.23 million in USDT drained on April 9
• $2.08 million in USDC stolen on April 11
• $1.95 million across BTC, ETH, and stETH taken on April 8

Among the victims was musician Garrett Dutton, known professionally as G. Love. He lost 5.92 BTC—approximately $424,000—representing a decade of accumulated savings he'd earmarked for retirement. The theft occurred as he set up his hardware wallet on a new MacBook.

"I been in the crypto circus since 2017. Today they caught me off guard," Dutton wrote on X. "It was my own damn fault for not being more diligent. But let it serve as a warning."

Money Laundering Trail

ZachXBT's on-chain analysis revealed stolen funds flowing through more than 150 KuCoin deposit addresses before being funneled through "AudiA6," a centralized mixing service known for charging premium fees to obscure illicit transactions.

The choice of KuCoin as a laundering hub is notable given the exchange's regulatory troubles. Austrian authorities barred KuCoin from onboarding new EU users in February 2026, just months after the exchange received its MiCA license. KuCoin previously paid over $300 million to U.S. authorities in 2025 to settle anti-money laundering violations.

ZachXBT suggested the incident's scale could provide grounds for a class-action lawsuit against Apple, given that victims trusted the App Store's vetting process when downloading financial software. The theft adds to an already brutal month for crypto holders—earlier in April, Bitcoin Depot disclosed a $3.6 million BTC theft through compromised infrastructure.

Apple's Security Failure

The fraudulent app's presence on the Mac App Store for two weeks represents a significant failure in Apple's review process. Community members on Reddit began flagging discrepancies in the developer identity shortly before Apple removed the listing, but by then millions in damage had already been done.

Apple declined to comment publicly on how the app passed review or what safeguards failed. The company's review guidelines prohibit apps that impersonate other brands or request sensitive authentication credentials, yet "Leva Heal Limited" apparently cleared these checks.

This incident follows a troubling pattern. A similar fake Ledger app on Microsoft's store stole nearly $600,000 from users in 2023, demonstrating that app store security gaps persist across platforms.

Ledger's Response

Ledger's Chief Technology Officer Charles Guillemet issued a statement reinforcing the company's security guidance:

"Ledger will never ask for your 24 words. If anyone, or any app, is asking for your 24 words, assume something is wrong. The only protection that holds is keeping your private keys on a dedicated hardware device with a secure screen, like a Ledger signer, and never entering your seed phrase into any app or website."

The company has maintained for years that its software is only available through ledger.com. Ledger Live is not distributed through consumer app stores, meaning any listing appearing under a third-party developer name is fraudulent by definition.

Why This Matters

The $9.5 million stolen represents life savings for many victims, but the broader implications extend beyond individual losses. Cryptocurrency's promise of self-sovereignty depends on users maintaining exclusive control of their private keys—yet that same self-custody model leaves no recourse when keys are compromised.

Centralized app stores were supposed to provide a trust layer, filtering out malicious software so users didn't need to verify every download themselves. This incident demonstrates that trust remains misplaced. The consequences mirror what we've seen in broader crypto fraud operations, where attackers exploit the gap between perceived security and reality.

For organizations tracking similar threats, the tactics here align with established social engineering patterns—attackers don't need to break encryption when they can simply convince users to hand over their keys.

Protecting Yourself

Hardware wallet users should treat any request for a recovery phrase as an immediate red flag. Legitimate wallet software never needs your seed phrase during normal operation. If you're setting up a device:

1. Download software only from the manufacturer's official website
2. Verify the domain carefully before entering credentials
3. Never enter your recovery phrase into any application, website, or form
4. Store your seed phrase offline, ideally in multiple secure physical locations

Anyone who downloaded the fraudulent Ledger app should assume their wallet is compromised and immediately transfer any remaining assets to a new wallet generated on a verified device.