Garrett Dutton is the frontman of G. Love & Special Sauce. On April 11, he got a new computer and searched the Apple App Store for Ledger Live to set up his hardware wallet. He found what looked like the official app. He downloaded it. The app asked him to enter his 24-word seed phrase.
He typed it in.
“I had a really tough day today,” he posted on X. “I lost my retirement fund in a hack/scam when I switched my Ledger over to my new computer. I lost 5.9 BTC all I had for ten years.”
Dutton was not the first. He was not the last. Between April 7 and April 13, a malicious clone of Ledger Live sat on Apple’s App Store and drained at least $9.5 million from more than 50 victims across Bitcoin, Ethereum, Solana, Tron, and XRP. Three victims lost seven-figure sums. The largest single theft was $3.23 million in USDT on April 9. Then $2.08 million in USDC on April 11. Then $1.95 million in BTC, ETH, and stETH on April 8.
Apple removed the app on April 14. After seven days. After $9.5 million.
How It Worked
The attack was not technically sophisticated. It did not need to be.
The fake app was published under the developer name “Leva Heal Limited” and listed on the Mac App Store, positioned to appear when users searched for Ledger Live. It looked legitimate. The branding was close enough. It passed whatever review process Apple runs before making apps available to users.
When victims opened it and began the setup process, the app asked them to enter their seed phrase, the 24-word master key that controls every wallet associated with a hardware device. This is the one thing every security guide, every hardware wallet manufacturer, and every crypto educator says never to do in any app under any circumstances.
The real Ledger Live never asks for a seed phrase. The fake one did. And when victims typed it in, the attackers had everything they needed. Full, permanent access to every wallet tied to that phrase, across every blockchain, with no further action required.
Blockchain investigator ZachXBT traced the stolen funds, according to CCN, through more than 150 KuCoin deposit addresses and into a centralized mixing service called AudiA6, known for charging high fees to obscure transaction flows. ZachXBT has suggested Apple could face a class-action lawsuit for allowing the fake app to pass its review process.
The Apple Problem
Apple’s App Store review process is the company’s core promise to its users. Developers pay $99 per year for the privilege of submitting apps to a review team that Apple describes as a protection layer between users and malicious software. The App Store is not an open marketplace. It is a curated platform where Apple makes active decisions about what to allow.
A fake version of one of the most well-known cryptocurrency applications in the world, published under a developer name with no connection to Ledger, asking users to enter their master seed phrase, sat in that curated platform for seven days.
This is not the first time a fake crypto app has made it through Apple’s review. In 2021, a fake Trezor app drained users of bitcoin. The pattern is consistent enough that Ledger itself warns users explicitly to download its software only from ledger.com and never from any app store. That warning exists because app stores have failed crypto users repeatedly.
The $99 annual developer fee and the review process are Apple’s implicit promise that what appears in the App Store has been vetted. That promise has a dollar amount attached to it. It also has a track record, and that track record includes seven days of a fake Ledger app draining retirement savings.
The Trusted Systems Problem
We wrote about the Drift protocol hack, $285 million drained through a six-month North Korean intelligence operation that used legitimate Solana features against the protocol’s own users. The theme was the same: a system users trusted, used exactly as intended, with devastating results.
The fake Ledger app is the retail version of that story. Drift affected sophisticated DeFi users. The Apple App Store attack affected the person who just wants to set up their hardware wallet on a new computer and trusts that the app they find in the official store is the real one.
The attack vector in both cases is not a technical exploit. It is the gap between what a system promises and what it delivers. Apple promises a curated, reviewed, safe marketplace. It delivered a fake crypto drainer for seven days. Drift’s security model promised multisig protection. It delivered a six-month window for an attacker who bypassed it through social engineering.
Centralized trust is the vulnerability. Whether that trust is placed in a DeFi protocol’s security team or in Apple’s review process, the outcome when it fails is the same. The money is gone and there is no way to get it back.
What Ledger Users Should Know
Ledger does not distribute its macOS software through the Mac App Store. The only legitimate source for Ledger Live on desktop is ledger.com. This is not new information, Ledger has communicated this consistently, but it is information that tens of millions of hardware wallet users have never been directly told, because they reasonably assumed that what appears in official app stores is official software.
The seed phrase question is the definitive test. No legitimate hardware wallet application, not Ledger Live, not any other, will ever ask you to enter your 24-word recovery phrase into a desktop or mobile app. If an app asks for your seed phrase, close it immediately. It does not matter how official it looks, how many reviews it has, or where you found it.
Garrett Dutton had a decade of bitcoin. He lost it in the time it took to type 24 words into a box that looked like the right app.
Apple removed the fake app on April 14. The $9.5 million is gone.
