Fake Ledger Live app on Apple’s App Store stole $9.5M in crypto

A malicious Ledger Live app for macOS available from Apple’s App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month.

Users who downloaded the fake Ledger app were tricked into entering their seed/recovery phrases, thus giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control.

According to blockchain investigator ZachXBT, the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.

The stolen amounts were then laundered through more than 150 deposit addresses on KuCoin, linked to a centralized mixing service called “AudiA6,” which launders crypto in exchange for high fees.

The investigator tracked three individual victims losing seven-figure amounts ($3.23 million, $2.08 million, and $1.95 million) between April 8 and April 11.

Musician G. Love stated on X that he also lost 5.9 BTC (currently $430k) after downloading the app. This loss was also traced and confirmed by ZachXBT.

According to a Reddit discussion, the fake app was submitted to the Apple App Store under the publisher name ‘Leva Heal Limited,’ an account not associated with the real Ledger development team.

The malicious actor also created a fake version history by releasing major new versions every few days, going from 1.0 to 5.0 within just two weeks.

Following multiple user reports, Apple has now removed the fake app from the App Store, but not before 50 users lost a total of $9.5 million.

BleepingComputer has reached out to Apple for a comment, but we have not received a response yet.

Meanwhile, KuCoin, which has been accused of violating anti-money laundering laws in the past and was even ordered to pay $300 million in penalties in the U.S. last year, announced that it has frozen the accounts involved in the latest scheme.

However, the platform noted that the freeze will only last until April 20. Beyond that date, the freeze can be extended via an official request from law enforcement authorities.

It is important to note that Ledger offers a Mac app on its website, but not in the Apple App Store, where only an iOS-compatible version is available.

Threat actors have attempted to exploit this availability gap again in the past, even targeting the Microsoft Store in 2023, stealing $768,000 worth of cryptocurrency.

Automated Pentesting Covers Only 1 of 6 Surfaces.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now