A fraudulent version of the Ledger Live application on Apple’s App Store has drained approximately $9.5 million in cryptocurrency from 50 victims over several days this month.
The malicious macOS app tricked users into entering their recovery phrases, granting attackers full control over their digital wallets.
Blockchain investigator ZachXBT reported that the attackers moved funds across multiple blockchains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.
According to the investigator, the stolen assets were laundered through more than 150 deposit addresses on the KuCoin exchange. The funds were linked to a centralized mixing service known as “AudiA6,” which processes crypto transactions for high fees.
Massive individual losses
Data tracked by ZachXBT identified three specific victims who lost seven-figure sums, including amounts of $3.23 million, $2.08 million, and $1.95 million, between April 8 and April 11.
Musician G. Love shared on X that he lost 5.9 BTC, valued at approximately $430,000, after downloading the fraudulent software. This specific theft was also verified by ZachXBT.
Reddit discussions revealed the fake app was published under the name ‘Leva Heal Limited,’ an account unrelated to the official Ledger development team. To appear legitimate, the attackers released frequent updates, rapidly progressing from version 1.0 to 5.0 within just two weeks.
Apple has since removed the app from the App Store following multiple user reports. However, the removal occurred only after the $9.5 million theft was completed.
KuCoin announced it has frozen the accounts involved in the scheme, though the platform noted the freeze is only scheduled to last until April 20 unless law enforcement requests an extension.
This incident highlights a recurring vulnerability in software distribution. While Ledger provides a Mac app via its official website, it does not offer a macOS version on the Apple App Store. Attackers have previously exploited this gap, including a 2023 attack on the Microsoft Store that resulted in $768,000 in stolen crypto.
