{"id":45452,"date":"2026-04-16T07:44:10","date_gmt":"2026-04-15T23:44:10","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/fake-ledger-live-app-on-apple-store-linked-to-9-5m-crypto-theft\/"},"modified":"2026-04-16T07:44:10","modified_gmt":"2026-04-15T23:44:10","slug":"fake-ledger-live-app-on-apple-store-linked-to-9-5m-crypto-theft","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/16\/fake-ledger-live-app-on-apple-store-linked-to-9-5m-crypto-theft\/","title":{"rendered":"Fake Ledger Live App on Apple Store Linked to $9.5M Crypto Theft"},"content":{"rendered":"\n<p>A fake application posing as \u201cLedger Live\u201d on the <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/apple-removes-clearview-ai-iphone-app-from-app-store\/\" data-type=\"post\" data-id=\"75962\">Apple App Store<\/a> has been linked to more than $9.5 million in cryptocurrency theft, affecting over 50 users within just one week.<\/p>\n<p>The activity was identified by blockchain investigator <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/investigators-link-bybit-hack-north-korea-lazarus-group\/\" data-type=\"post_tag\" data-id=\"28253\">ZachXBT<\/a>, who reported that the incidents occurred between April 7 and April 13, with victims losing funds on multiple networks, including Bitcoin, Ethereum, Solana, Tron, and XRP. This indicates a large-scale attack rather than a chain-specific exploit.<\/p>\n<h3><strong>App Masqueraded as Legitimate Wallet Software<\/strong><\/h3>\n<p>The malicious app mimicked the official Ledger Live interface and branding, presenting itself as a standard wallet management tool. It was listed under the developer name \u201cSAS Software Company\u201d and published by \u201cLeva Heal Limited.\u201d<\/p>\n<p>The listing included positive user reviews and standard App Store metadata such as a business category label, age rating, and privacy disclosures claiming no data collection. These elements contributed to its credibility and likely reduced user suspicion.<\/p>\n<p>Users who downloaded the app were prompted to input sensitive wallet information, which was then used to access and drain funds from their accounts.<\/p>\n<div>\n<figure><a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-scaled.jpeg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"321\" src=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-1024x321.jpeg\" srcset=\"https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-1024x321.jpeg 1024w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-300x94.jpeg 300w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-768x241.jpeg 768w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-1536x481.jpeg 1536w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-2048x642.jpeg 2048w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-380x119.jpeg 380w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-800x251.jpeg 800w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-1160x364.jpeg 1160w, https:\/\/hackread.com\/wp-content\/uploads\/2026\/04\/fake-ledger-live-app-apple-store-crypto-theft-1-scaled.jpeg 2560w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" alt=\"Fake Ledger Live App on Apple Store Linked to $9.5M Crypto Theft\" \/><\/a><figcaption>The fake Ledger live app, its developers&#8217; details, and fake positive reviews (Via: ZachXBT)<\/figcaption><\/figure>\n<\/p><\/div>\n<h3><strong>Funds Routed Through Exchanges and Mixing Services<\/strong><\/h3>\n<p>According to ZackXBT&#8217;s transaction <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/t.me\/s\/investigations\/313\">analysis<\/a> on Telegram, stolen assets were transferred through a network of intermediary wallets before being consolidated into more than 150 deposit addresses associated with the crypto exchange <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/kucoin-crypto-exchange-hacked-hackers-drain-hot-wallets\/\" data-type=\"post\" data-id=\"81410\">KuCoin<\/a>.<\/p>\n<p>Following this step, the funds were sent through a centralized mixing service known as \u201cAudiA6,\u201d which charges high fees to make the transactions difficult to trace. This process complicates tracking and recovery efforts.<\/p>\n<p>ZachXBT also identified several wallet addresses across multiple blockchains where the stolen funds were first sent. Among the reported cases, several victims experienced losses exceeding seven figures.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<ul>\n<li>April 9: Approximately $3.23 million in USDT<\/li>\n<li>April 11: Approximately $2.079 million in USDC<\/li>\n<li>April 8: Combined losses of roughly $1.95 million in Bitcoin, ETH, and staked ETH<\/li>\n<\/ul>\n<p>These incidents occurred shortly after victims interacted with the fake application, suggesting rapid exploitation once credentials were obtained.<\/p>\n<h3><strong>Platform and Compliance Concerns<\/strong><\/h3>\n<p>The app has since been removed from the Apple App Store. However, its presence and ability to attract users have raised questions about Apple&#8217;s app review processes.<\/p>\n<p>The way the funds moved has also put KuCoin back in focus. The exchange has already <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.lowenstein.com\/news-insights\/publications\/client-alerts\/cftc-settles-with-kucoin-for-500-000-despite-alleged-anti-money-laundering-violations-fctm#:~:text=Although%20KuCoin&#039;s%20alleged%20AML%20violations,CFTC&#039;s%20new%20Director%20of%20Enforcement\">faced action<\/a> from regulators in several regions over its anti-money laundering controls, and reports suggest it has handled more suspicious activity over the past year.<\/p>\n<p>The investigation remains ongoing, with no indication that stolen assets have been recovered. ZachXBT has mapped suspected victim wallets and transaction flows, providing a detailed view of how funds moved across chains and services:<\/p>\n<pre>bc1qf7wdsx03xdwkqxznjzfhz2q98law46yyje5rvy<br>bc1q34u3g5r0m00a9dk6trhj6e69vgzvdaw8xnt6dl<br>0x6876e75730125618d09df064091a1094275bda39<br>0x2cddfc496c9ba7765955773f4dcc5920cc147d72<br>TLPgiPEniadnUNKMApu4oGZynwzvUbUUTs<br>2bmPSvwCYnQAeJW115vuLDgKSdf5Nn3sBqgYTpTwxKiV<br>FCPwCE4TNuQKwLwPJrfvSTfSdhN6a7Nc6mtHi8yuFt7p<br>rnrQZFpVCUcNgi9dBrSd7BcEnLNooGcBUQ<\/pre>\n<h3><strong>Apple and fake apps on its Store<\/strong><\/h3>\n<p>This is not the first time Apple\u2019s review process has allowed copycat and malicious apps into its Store. In one case, a <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/apple-approves-fake-app-before-real-rabby-wallet\/\">fake version of the Rabby Wallet<\/a> appeared on the App Store before the official app was even approved, leading to users losing funds after entering their wallet credentials into the malicious app.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<p>A similar pattern showed up with password managers. A fake app called \u201c<a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/fake-lastpass-password-manager-app-on-ios-store\/\" data-type=\"post\" data-id=\"112998\">LassPass Password Manager<\/a>\u201d closely copied the branding of LastPass and was able to pass review, putting user login data at risk. Reports noted that the app mimicked the original interface closely enough to mislead users who were searching for the real product.<\/p>\n<p>The issue goes beyond individual cases. <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/pig-butchering-fake-apps-crypto-apple-google-play-stores\/\">Investigations into<\/a> so-called \u201cpig butchering\u201d scams found that fraudulent investment and crypto apps have repeatedly appeared on both Apple and Google stores, used to build trust before stealing funds from victims. These apps often stay live long enough to attract downloads before being removed.<\/p>\n<p>Even outside crypto, fake apps have reached high visibility. A <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/fake-threads-app-apple-store-europe\/?utm_source=chatgpt.com\">fake version of Meta\u2019s Threads app<\/a> climbed to the number one spot in parts of Europe before it was taken down, showing how quickly these listings can gain traction.<\/p>\n<p>It is also worth noting that in November 2023, Microsoft <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/hackread.com\/fake-ledger-app-microsoft-app-store-crypto-funds\/\">approved<\/a> a fake Ledger Live app on its store. That app infected users\u2019 devices with malware, leading to the theft of around $800,000 in Bitcoin and Ethereum.<\/p>\n<h3><strong>Ledger Live to Ledger Wallet: Where Confusion Creeps In<\/strong><\/h3>\n<p>Part of the confusion here comes from Ledger\u2019s ongoing naming change. The company is <a target=\"_blank\" rel=\"noopener\" href=\"https:\/\/support.ledger.com\/article\/4404389606417-zd\">moving from \u201cLedger Live\u201d to \u201cLedger Wallet,\u201d<\/a> but both names are still in use across apps, websites, and search results. That overlap can make it harder for users to know what\u2019s official. In cases like this, it gives fake apps more room to pass as legitimate, especially when the name already feels familiar.<\/p>\n<p>Taken together, these cases suggest Apple needs to improve how it reviews and approves apps. Apps that copy branding, names, and interfaces need to be caught during initial review checks, so users can trust official app stores, which are often promoted by cybersecurity firms as reliable places to download apps.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/hackread\/\"> \t\t\t\t\t\t\tWaqas\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a target=\"_blank\" rel=\"author\" href=\"https:\/\/hackread.com\/author\/hackread\/\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/3c971597535b97dcf1c986f945aa98a632225995095afc68c2a7c0dff262d639?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/3c971597535b97dcf1c986f945aa98a632225995095afc68c2a7c0dff262d639?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"Fake Ledger Live App on Apple Store Linked to $9.5M Crypto Theft\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tI am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/hackread\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A fake application posing as \u201cLedger Live\u201d on the Apple [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-45452","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45452","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45452"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45452\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}