A fake Ledger Live app sat on Apple’s Mac App Store for six days and drained $9.5M.
A counterfeit app cloning Ledger Live drained more than $9.5 million in bitcoin and other crypto from at least 50 users, including musician G. Love, according to investigators tracking the theft. On-chain sleuth ZachXBT identified the scheme and traced the stolen funds through 150+ KuCoin addresses. The listing was live on Apple‘s Mac App Store from April 7 to April 13, 2026.
The mechanics aren’t new. Fake wallet apps have been a staple scam since 2018. What’s new is the distribution channel. This one passed the same review process Apple invokes when it defends the 30% take and argues against alternative stores. For the segment of crypto users who picked Ledger specifically because they didn’t trust browser extensions or random Telegram links, that’s the uncomfortable part.
Per ZachXBT’s thread and Decrypt‘s reporting, the attacker cloned the Ledger Live UI closely enough to pass a distracted user’s glance. Users who opened the fake app and entered their 24-word recovery phrase during what looked like a routine device setup handed over full control of every account seeded from that phrase. The app exfiltrated phrases to a server. Wallets drained within hours.
Fifty-plus victims are confirmed. The $9.5M total is likely to climb as more affected users self-identify. Stolen funds were laundered through 150+ KuCoin deposit addresses, a pattern consistent with a prepared off-ramp rather than an opportunistic heist. Apple pulled the listing on April 13 after ZachXBT’s public reporting. Ledger, the legitimate hardware-wallet maker, has confirmed the attack and reiterated that its real app never asks users to type a recovery phrase into a computer.
Ledger has reiterated in its public response that the real Ledger Live app never asks users to enter their 24-word recovery phrase, and any app that does is a scam. The hardware-wallet company distributes its software only through its own download page and vetted channels.
Direct market impact is modest. $9.5M across 50+ users doesn’t move price, and the on-chain trail is being watched. Protocol impact on Bitcoin or any affected chain is effectively zero. The distribution-channel impact is larger than the dollar figure suggests.
Why We’re Watching
The self-custody pitch takes a hit in an unexpected place. Canonical security advice has been to avoid hot wallets from unknown sources and use a hardware wallet like Ledger or Trezor. That still holds. The hardware wasn’t compromised. But the companion app is where users type recovery phrases during setup and recovery, and any channel that can serve a fake companion app is a channel that can drain users who did everything else right. The Mac App Store, as of this week, is one of those channels.
The review-process failure at Apple is the part to watch. iOS and macOS review is Apple’s answer to every regulator questioning the 30% tax. If a $9.5M wallet-cloning scam sits in the store for six days, the argument that review is worth the tax gets harder, and the argument that crypto apps should be allowed on alternative stores under the EU Digital Markets Act gets easier.
The audience expansion matters too. A 2021 fake Trezor wallet listing captured phrases for about $1M before being pulled. The 2026 delta is that crypto self-custody has broadened past the 2018 to 2021 cohort. Users coming in through stablecoin payments, tokenized assets, or AI agents that hold keys on their behalf aren’t steeped in the never type your seed phrase rule. The attack surface grew. Security literacy did not. In African markets where self-custody adoption is fastest via apps like Bitnob and Yellow Card, a high-trust-store incident like this reshapes onboarding copy, the wallet apps most people will actually touch are mobile-first, and the lesson needs to travel faster than the next clone.
The immediate rule for holders is narrower than most “crypto is unsafe” takes will suggest: no legitimate wallet app asks for your recovery phrase on the host machine. If it does, it’s fake. Your hardware wallet is fine. Your app store may not be.
Watch three things. Does Apple disclose how the listing passed review, or go silent and invite regulatory scrutiny. Does KuCoin freeze the deposit addresses fast, cooperation has been the pattern before. Does this show up in the MiCA secondary rulemaking or in US wallet-classification language, a clean App Store failure is exactly the case study that gets cited.