A fake application posing as “Ledger Live” on the Apple App Store has been linked to more than $9.5 million in cryptocurrency theft, affecting over 50 users within just one week.
The activity was identified by blockchain investigator ZachXBT, who reported that the incidents occurred between April 7 and April 13, with victims losing funds on multiple networks, including Bitcoin, Ethereum, Solana, Tron, and XRP. This indicates a large-scale attack rather than a chain-specific exploit.
App Masqueraded as Legitimate Wallet Software
The malicious app mimicked the official Ledger Live interface and branding, presenting itself as a standard wallet management tool. It was listed under the developer name “SAS Software Company” and published by “Leva Heal Limited.”
The listing included positive user reviews and standard App Store metadata such as a business category label, age rating, and privacy disclosures claiming no data collection. These elements contributed to its credibility and likely reduced user suspicion.
Users who downloaded the app were prompted to input sensitive wallet information, which was then used to access and drain funds from their accounts.
Funds Routed Through Exchanges and Mixing Services
According to ZackXBT’s transaction analysis on Telegram, stolen assets were transferred through a network of intermediary wallets before being consolidated into more than 150 deposit addresses associated with the crypto exchange KuCoin.
Following this step, the funds were sent through a centralized mixing service known as “AudiA6,” which charges high fees to make the transactions difficult to trace. This process complicates tracking and recovery efforts.
ZachXBT also identified several wallet addresses across multiple blockchains where the stolen funds were first sent. Among the reported cases, several victims experienced losses exceeding seven figures.
- April 9: Approximately $3.23 million in USDT
- April 11: Approximately $2.079 million in USDC
- April 8: Combined losses of roughly $1.95 million in Bitcoin, ETH, and staked ETH
These incidents occurred shortly after victims interacted with the fake application, suggesting rapid exploitation once credentials were obtained.
Platform and Compliance Concerns
The app has since been removed from the Apple App Store. However, its presence and ability to attract users have raised questions about Apple’s app review processes.
The way the funds moved has also put KuCoin back in focus. The exchange has already faced action from regulators in several regions over its anti-money laundering controls, and reports suggest it has handled more suspicious activity over the past year.
The investigation remains ongoing, with no indication that stolen assets have been recovered. ZachXBT has mapped suspected victim wallets and transaction flows, providing a detailed view of how funds moved across chains and services:
bc1qf7wdsx03xdwkqxznjzfhz2q98law46yyje5rvy
bc1q34u3g5r0m00a9dk6trhj6e69vgzvdaw8xnt6dl
0x6876e75730125618d09df064091a1094275bda39
0x2cddfc496c9ba7765955773f4dcc5920cc147d72
TLPgiPEniadnUNKMApu4oGZynwzvUbUUTs
2bmPSvwCYnQAeJW115vuLDgKSdf5Nn3sBqgYTpTwxKiV
FCPwCE4TNuQKwLwPJrfvSTfSdhN6a7Nc6mtHi8yuFt7p
rnrQZFpVCUcNgi9dBrSd7BcEnLNooGcBUQ
Apple and fake apps on its Store
This is not the first time Apple’s review process has allowed copycat and malicious apps into its Store. In one case, a fake version of the Rabby Wallet appeared on the App Store before the official app was even approved, leading to users losing funds after entering their wallet credentials into the malicious app.
A similar pattern showed up with password managers. A fake app called “LassPass Password Manager” closely copied the branding of LastPass and was able to pass review, putting user login data at risk. Reports noted that the app mimicked the original interface closely enough to mislead users who were searching for the real product.
The issue goes beyond individual cases. Investigations into so-called “pig butchering” scams found that fraudulent investment and crypto apps have repeatedly appeared on both Apple and Google stores, used to build trust before stealing funds from victims. These apps often stay live long enough to attract downloads before being removed.
Even outside crypto, fake apps have reached high visibility. A fake version of Meta’s Threads app climbed to the number one spot in parts of Europe before it was taken down, showing how quickly these listings can gain traction.
It is also worth noting that in November 2023, Microsoft approved a fake Ledger Live app on its store. That app infected users’ devices with malware, leading to the theft of around $800,000 in Bitcoin and Ethereum.
Ledger Live to Ledger Wallet: Where Confusion Creeps In
Part of the confusion here comes from Ledger’s ongoing naming change. The company is moving from “Ledger Live” to “Ledger Wallet,” but both names are still in use across apps, websites, and search results. That overlap can make it harder for users to know what’s official. In cases like this, it gives fake apps more room to pass as legitimate, especially when the name already feels familiar.
Taken together, these cases suggest Apple needs to improve how it reviews and approves apps. Apps that copy branding, names, and interfaces need to be caught during initial review checks, so users can trust official app stores, which are often promoted by cybersecurity firms as reliable places to download apps.
