A crypto rip-off posing because the official Ledger Stay {hardware} pockets app handed Apple’s App Retailer evaluate course of and drained at the very least $9.5 million from greater than 50 victims throughout Bitcoin, Ethereum, Solana, Tron, and XRP between April 7 and April 13, with stolen funds routed by greater than 150 KuCoin deposit addresses and right into a centralized mixing service.
Abstract
- The three largest particular person thefts had been $3.23 million in USDT on April 9, $2.08 million in USDC on April 11, and $1.95 million in BTC, ETH, and stETH on April 8, with blockchain investigator ZachXBT tracing all stolen funds to deposit addresses linked to a mixing service referred to as AudiA6, recognized for charging excessive charges to obscure illicit transactions.
- The assault labored by prompting customers to enter their 24-word seed phrase into the faux app throughout what gave the impression to be a standard pockets setup stream; as soon as a seed phrase is entered into any linked software, attackers achieve full and rapid management of each pockets derived from it.
- Apple has eliminated the faux app from the App Retailer however has not publicly commented on the way it handed the evaluate course of; ZachXBT individually reported that Apple seems to be blocking a safety evaluation software from inspecting the fraudulent itemizing, which has sophisticated impartial investigation.
A report on the theft introduced the incident to vast consideration after ZachXBT revealed his on-chain evaluation. One of many victims, posting on X underneath the deal with @glove, was Philadelphia musician Garrett Dutton of G. Love and Particular Sauce, who misplaced 5.92 BTC gathered over a decade of saving. “I labored ten years for this,” he wrote. “Watch out on the market.” He was organising his Ledger {hardware} pockets on a brand new MacBook when he searched the App Retailer for Ledger Stay and downloaded the impersonating app. The seed phrase he entered gave attackers rapid entry.
The incident will not be with out precedent. An almost equivalent faux Ledger app scheme stole roughly $600,000 by Microsoft’s app retailer in 2023, utilizing the identical impersonation-plus-seed-phrase playbook.
The mechanism that makes this assault efficient will not be technical sophistication. It’s social belief. Customers going to the Apple App Retailer fairly count on that the apps listed there have been reviewed and are legit. The faux Ledger app exploited that belief by showing in search outcomes for “Ledger Stay” with convincing branding and a regular setup stream. Apple’s evaluate course of, which has rejected crypto apps for coverage causes, apparently didn’t catch a malicious software designed to steal funds from customers of {hardware} wallets that Apple’s personal evaluate insurance policies pushed them towards utilizing within the first place.
Why Seed Phrases and App Shops Are Structurally Incompatible
The {hardware} pockets’s total safety mannequin rests on one rule: the seed phrase by no means touches a linked system. The bodily {hardware} generates the seed phrase offline and indicators transactions internally, so non-public keys are by no means uncovered to the web. The second a person varieties their seed phrase into any app, web site, or keyboard, the {hardware} pockets’s safety is eradicated. No legit pockets supplier, together with Ledger, ever asks for a seed phrase throughout setup. Any software that requests one is both malfunctioning or malicious. Safety specialists suggest downloading Ledger Stay solely from ledger.com immediately, by no means from any app retailer.
What Occurs to Stolen Funds and Why Restoration Is Unlikely
ZachXBT traced the stolen funds by 9 transactions into KuCoin deposit addresses linked to the AudiA6 mixing service. KuCoin has been barred from onboarding new EU customers by Austrian regulators in February 2026, simply three months after receiving a MiCA license, and beforehand paid over $300 million to US authorities in 2025 to settle anti-money laundering violations. Restoration would require coordinated legislation enforcement motion and voluntary trade cooperation that ZachXBT mentioned he didn’t count on. The incident has prompted dialogue of potential class-action lawsuits towards Apple for platform legal responsibility, and reinforces why crypto safety specialists persistently warn towards downloading pockets software program from any supply apart from the producer’s official web site.
