- 59
- 6
Researchers discovered that a counterfeit Ledger Live app for macOS appeared in the Apple App Store in early April. The fake app was available in the store for several days, and attackers used it to steal approximately $9.5 million in cryptocurrency from 50 users.
Users who downloaded the fake Ledger app fell for a classic scheme: the app asked them to enter a seed phrase, after which the attackers gained full access to their wallets and transferred the funds to their own addresses.
According to renowned blockchain analyst ZachXBT, the hackers used multiple wallets to accept funds from several networks simultaneously—Bitcoin, Ethereum, Tron, Solana, and Ripple. The stolen funds were then laundered through 150 addresses on the KuCoin exchange linked to the centralized mixer AudiA6.
The expert tracked the three largest victims of this campaign, who lost seven-figure sums: $3.23 million, $2.08 million, and $1.95 million—all transactions took place between April 8 and 11. Another victim was musician G. Love, who wrote on social media that he lost 5.9 BTC (approximately $430,000) after installing the app. ZachXBT also confirmed this transaction.
According to a discussion on Reddit , the fake app was published in the App Store under the name of Leva Heal Limited, an account unrelated to the real Ledger team. To make the product appear more credible, the attacker simulated a full release history: new versions were released every few days, so the version number jumped from 1.0 to 5.0 within a couple of weeks.
After numerous complaints, Apple removed the malware from the App Store, but by that time, 50 users had already lost a total of $9.5 million.
Representatives of the KuCoin exchange, which has previously been accused of violating anti-money laundering laws (last year, the company was fined $300 million), announced that they had frozen the accounts involved in this scheme. However, the freeze will remain in effect until April 20th and can only be extended by official request from law enforcement.
It's worth noting that Ledger does offer a macOS version of its app, but only on its own website. Only the iOS version is officially available in the App Store—it was this gap that the attackers exploited.
Users who downloaded the fake Ledger app fell for a classic scheme: the app asked them to enter a seed phrase, after which the attackers gained full access to their wallets and transferred the funds to their own addresses.
According to renowned blockchain analyst ZachXBT, the hackers used multiple wallets to accept funds from several networks simultaneously—Bitcoin, Ethereum, Tron, Solana, and Ripple. The stolen funds were then laundered through 150 addresses on the KuCoin exchange linked to the centralized mixer AudiA6.
The expert tracked the three largest victims of this campaign, who lost seven-figure sums: $3.23 million, $2.08 million, and $1.95 million—all transactions took place between April 8 and 11. Another victim was musician G. Love, who wrote on social media that he lost 5.9 BTC (approximately $430,000) after installing the app. ZachXBT also confirmed this transaction.
According to a discussion on Reddit , the fake app was published in the App Store under the name of Leva Heal Limited, an account unrelated to the real Ledger team. To make the product appear more credible, the attacker simulated a full release history: new versions were released every few days, so the version number jumped from 1.0 to 5.0 within a couple of weeks.
After numerous complaints, Apple removed the malware from the App Store, but by that time, 50 users had already lost a total of $9.5 million.
Representatives of the KuCoin exchange, which has previously been accused of violating anti-money laundering laws (last year, the company was fined $300 million), announced that they had frozen the accounts involved in this scheme. However, the freeze will remain in effect until April 20th and can only be extended by official request from law enforcement.
It's worth noting that Ledger does offer a macOS version of its app, but only on its own website. Only the iOS version is officially available in the App Store—it was this gap that the attackers exploited.