A fraudulent version of the Ledger Live cryptocurrency wallet app was listed on Apple’s App Store for approximately one week before being removed, draining $9.5 million from more than 50 victims across multiple blockchain networks between April 7 and April 13, 2026. The theft was exposed by blockchain investigator ZachXBT, who traced stolen funds through more than 150 deposit addresses on the KuCoin exchange before they were routed into a centralized mixing service. Apple confirmed the app’s removal and terminated the associated developer account on April 13.
How the Scam Worked
The malicious app was listed under the developer name “Leva Heal Limited,” an account with no affiliation to Ledger, the hardware wallet manufacturer. It presented itself visually and functionally as the legitimate Ledger Live desktop client — the companion software Ledger hardware wallet users install to manage their devices and assets. The app passed Apple’s review process and remained active for nearly a week despite users reporting stolen funds from April 7 onward.
When victims downloaded the app and began the setup process, it prompted them to enter their 24-word seed phrase — the master recovery code that gives complete and irreversible access to a cryptocurrency wallet. With those phrases in hand, attackers immediately drained affected wallets. Ledger CTO Charles Guillemet publicly stated that Ledger never requests a 24-word recovery phrase and warned that attackers target any platform where users can be reached, including official app stores. The vulnerability exploited here was not in the Ledger hardware device itself but in the social engineering layer — a fraudulent app designed to capture credentials that unlock the wallet from any device.
Scale of Losses
ZachXBT’s on-chain analysis identified 3 single victims losing seven-figure amounts. One victim lost $3.23 million in USDT on April 9. A second lost approximately $2.08 million in USDC on April 11. A third lost $1.95 million in Bitcoin, Ethereum, and staked Ethereum on April 8. Musician Garrett Dutton, known publicly as G. Love, disclosed on X that he lost 5.92 BTC — savings accumulated over nearly a decade — after downloading the app while setting up a new computer. “All my BTC gone in an instant,” he wrote. The stolen funds were dispersed across multiple blockchain networks including Bitcoin, Ethereum, Solana, Tron, and XRP before being consolidated through more than 150 KuCoin deposit addresses linked to AudiA6, a centralized mixing service that charges high fees to obscure transaction flows.
KuCoin confirmed it froze the accounts involved in the scheme but stated the freeze would only remain in place until April 20. ZachXBT publicly called out KuCoin for allowing the laundering to proceed across 150+ deposit addresses, noting the exchange had similarly been used to launder funds from the Bitcoin Depot theft earlier this month.
Apple’s Response and Legal Exposure
Apple confirmed to multiple outlets on April 15 that it has zero tolerance for fraudulent or malicious apps, that the fake Ledger Live app had been removed, and that the associated developer account was terminated. The company pointed to its App Review Guidelines, which prohibit apps that attempt to scam users, include hidden features, or rely on bait-and-switch tactics. Apple did not address how the app cleared review in the first place or why it remained active for nearly a week after the first theft reports emerged on April 7.
ZachXBT suggested the scale of losses may form the basis for a class-action lawsuit against Apple. The incident raises substantive questions about the adequacy of app store review processes for detecting sophisticated crypto-targeting applications, particularly given that a nearly identical fake Ledger Live app passed Microsoft’s store review in 2023 and caused approximately $600,000 in losses before being removed. The pattern suggests the problem is structural rather than isolated.
What Crypto Users Should Know
Ledger hardware wallets remain secure at the device level. The attack vector here was not a flaw in Ledger’s hardware or firmware but in the social engineering layer that precedes device use. A seed phrase entered into any application — regardless of where that application was downloaded — gives attackers complete wallet access with no recourse for recovery. Ledger’s official position is unambiguous: the company will never ask for a 24-word recovery phrase through any app, website, or support channel. Users should download Ledger Live only from ledger.com directly and should never enter seed phrases into software prompts of any kind.
