Key Findings

• A counterfeit Ledger Live app on Apple's App Store stole approximately $9.5 million from over 50 users between April 7-13, 2024

• The fake app was listed under "SAS Software Company" and "Leva Heal Limited," featuring convincing branding and fake positive reviews

• Victims lost funds across Bitcoin, Ethereum, Solana, Tron, and XRP networks, indicating a multi-chain attack

• Stolen assets were routed through 150+ KuCoin deposit addresses and then sent through a centralized mixing service called AudiA6

• The largest individual losses included $3.23 million in USDT, $2.079 million in USDC, and $1.95 million in Bitcoin and ETH

• Apple removed the app on April 13 after the attack was identified by blockchain investigator ZachXBT

• No funds have been recovered and no arrests have been made

Background

This incident represents another breach in Apple's app review process, a platform supposed to screen applications before they reach users. The fake Ledger Live app mimicked the official wallet software so closely that it passed Apple's verification, complete with legitimate-looking metadata, privacy disclosures, and user reviews. Users who downloaded the app were tricked into entering their sensitive wallet information, which attackers then used to drain their accounts.

The attack occurred during a period when Ledger is transitioning its branding from "Ledger Live" to "Ledger Wallet," creating additional confusion that likely made the counterfeit more believable to unsuspecting users.

How the App Deceived Users

The malicious application presented itself as standard wallet management software with all the hallmarks of legitimacy. It featured the official Ledger Live interface and branding, carried business category labels, age ratings, and privacy policies claiming no data collection. The fake reviews and professional presentation reduced user suspicion significantly.

The app's developers listed themselves as "SAS Software Company" and "Leva Heal Limited," names generic enough to avoid immediate scrutiny. Once downloaded, users were prompted to input their recovery phrases and wallet credentials, information that legitimate Ledger applications never request.

The Theft and Money Trail

Once attackers obtained user credentials, they rapidly drained accounts. Transaction analysis shows that stolen funds moved through a sophisticated laundering network. Assets were first sent to intermediary wallets before being consolidated into more than 150 deposit addresses tied to KuCoin, a major cryptocurrency exchange.

From KuCoin, the funds were transferred to AudiA6, described as a centralized mixing service that charges substantial fees to obfuscate transaction trails. This multi-step process significantly complicates tracking and recovery efforts.

Notable individual losses occurred in rapid succession. On April 8, one victim lost approximately $1.95 million in Bitcoin, ETH, and staked ETH. On April 9, another lost $3.23 million in USDT. On April 11, a third victim lost $2.079 million in USDC. The speed of exploitation following app interaction suggests automated or semi-automated systems extracted and moved funds quickly once credentials were compromised.

Platform and Regulatory Concerns

Apple's removal of the app on April 13 came only after ZachXBT's public disclosure, raising questions about the company's app review standards and monitoring capabilities. The incident has prompted discussion about whether grounds exist for class action litigation against Apple.

KuCoin's role in receiving the stolen funds has also drawn scrutiny. The exchange has faced regulatory action in multiple regions over anti-money laundering compliance issues and has already been banned from onboarding new European Union users as of February 2024, shortly after receiving its MiCA license.

ZachXBT's investigation remains ongoing, with blockchain analysts mapping suspected victim wallets and transaction flows across multiple chains and services. Neither Apple nor KuCoin had responded to requests for comment at the time of reporting.

A Pattern of App Store Security Failures

This incident is not isolated. Apple's App Store has repeatedly allowed malicious and counterfeit applications to reach users despite official review processes.

A fake Rabby Wallet app appeared on the App Store before the legitimate version was even approved, leading to credential theft from users who mistakenly downloaded it. Similarly, a fake "LassPass Password Manager" closely copied LastPass branding and passed review, putting login credentials at risk.

In November 2023, Microsoft approved a fake Ledger Live app on its store that infected users with malware, resulting in approximately $800,000 in Bitcoin and Ethereum theft. Investigations into pig butchering scams have found that fraudulent investment and crypto apps regularly appear on both Apple and Google stores, often remaining live long enough to attract significant downloads before removal.

Even non-crypto applications have exploited these gaps. A counterfeit Meta Threads app reached the number one position in parts of Europe before being taken down, demonstrating how quickly malicious listings can gain visibility.

Ledger's Response

Ledger's chief technology officer Charles Guillemet issued a statement warning users that the company never requests 24-word recovery phrases and cautioned against assuming any software environment is inherently trustworthy, including official app stores. He emphasized that attackers operate wherever opportunities exist, including on official distribution platforms.

The company has reinforced messaging that users should never enter seed phrases into any application, a fundamental principle of cryptocurrency security that remains surprisingly difficult to communicate effectively to average users.

Sources

• https://hackread.com/fake-ledger-live-app-apple-store-crypto-theft/

• https://www.tradingview.com/news/cointelegraph:f9cd9ea0b094b:0-fake-ledger-live-app-on-apple-app-store-drained-9-5m-from-victims-zachxbt/

• https://www.coindesk.com/business/2026/04/14/a-fake-ledger-app-on-the-apple-app-store-just-drained-usd9-5-million-in-crypto

• https://www.linkedin.com/posts/cyber-news-live_fake-ledger-live-app-on-apple-store-linked-activity-7450401210257268736-8Wls

• https://appleinsider.com/articles/26/04/14/bogus-crypto-wallet-on-app-store-steals-95m