The malicious listing, now removed, spoofed a cryto wallet platform and stole recovery phrases to drain wallets across multiple blockchains.
A fake Ledger app from the Apple App Store has been removed after the malicious listing helped drain about US$9.5m in cryptocurrency from roughly 50 victims over several days, according to security researchers and reporters.
The scam worked by impersonating the Ledger Live platform, then tricking users into entering their recovery phrases, which gave attackers full control of their wallets.
The incident had attracted wider attention after musician G. Love said he had lost about 5.9 Bitcoin, worth roughly US$430,000, after downloading the counterfeit app while setting up a new computer.
Blockchain investigator ZachXBT has traced the stolen funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and XRP, and found they had been funneled through more than 150 KuCoin deposit addresses before being routed into a mixing service called AudiA6.
The fake listing was reportedly published under the developer name “Leva Heal Limited”, which was not associated with Ledger, and it used a fake version history that made the app appear actively maintained.
Security researchers said the app passed Apple’s review process despite imitating a real crypto wallet and asking for a seed phrase, something legitimate wallet software should not require on desktop during normal setup. According to a Ledger spokesperson, its Mac app is distributed from its own website, not through the Apple App Store, and that the store version was fraudulent. That distinction matters because users often assume Apple’s marketplace provides a strong trust signal, especially for financial software.
The stolen funds included several large individual losses, including three seven-figure thefts between 8 April 8 and 11 April 2026, underscoring how quickly a single seed phrase can compromise an entire wallet portfolio. KuCoin announced it has frozen the relevant accounts, although the freeze is temporary unless law enforcement requests an extension.
The case is the latest reminder that vetting of software in official app stores is not a guarantee of safety, particularly for crypto users who can lose everything once a recovery phrase is exposed.
