Fake Ledger App Drained $9.5M From Apple Store Users in Six Days

A fraudulent Ledger Live app listed on Apple’s App Store stole approximately $9.5 million from more than 50 victims between April 7 and April 13, 2026, according to onchain investigator ZachXBT. The app, published under the developer name “SAS Software Company,” used a bait-and-switch strategy to harvest seed phrases before Apple removed it and terminated the account. This was not a sophisticated code exploit. It was a trust exploit, and it worked almost perfectly.

Six Days. Fifty Victims. Nine-Figure Damage.

The numbers are stark. Three victims alone account for the bulk of losses: one lost approximately $1.95 million in Bitcoin, staked Ether, and Ether; a second lost $3.23 million in USDT on April 9; a third lost roughly $2 million in USDC on April 11. Across the full victim set, losses touched Bitcoin, Ethereum-compatible networks, Solana, Tron, and XRP simultaneously, which tells you this operation had breadth and planning behind it. This was not opportunistic. It was systematic.

The mechanism was straightforward and brutal for that reason. A user searches for “Ledger Live” in the Mac App Store. The fake app appears, plausibly branded, with a review history that passed Apple’s gatekeeping. The user installs it, enters their 24-word seed phrase when prompted, and the wallet is emptied within hours. The seed phrase is the wallet. Hand that over and there is nothing left to protect.

Ledger CTO Charles Guillemet made the core rule explicit: “Ledger will never ask for your 24 words. If anyone, or any app, is asking for your 24 words, assume something is wrong. The only protection that holds is keeping your private keys on a dedicated hardware device with a secure screen, like a Ledger signer, and never entering your seed phrase into any app or website. Your 24 words are your wallet.” Clear. Unambiguous. And still, more than 50 people handed over those words.

Market OverviewTop 10 by market cap

1Bitcoin BTC$62,624.00▲2.59%

2Ethereum ETH$1,656.62▲1.40%

3Tether USDT$0.9991▼0.02%

4BNB BNB$596.52▲1.74%

5USDC USDC$1.0000▲0.02%

6XRP XRP$1.13▼0.18%

7Solana SOL$65.37▲1.55%

8TRON TRX$0.3226▲0.26%

9Figure Heloc FIGR_HELOC$1.03▲0.02%

10Dogecoin DOGE$0.0850▲0.96%

Prices via CoinGecko · Updated 4 min ago

Apple’s Review Process Has a Credibility Problem

The bait-and-switch model ZachXBT described is a known vector. A developer submits an app that initially appears benign, clears review, and then pivots its core functionality once listed. Apple’s App Store is supposed to be the walled garden, the trusted channel, the alternative to the chaos of sideloading. That promise is the entire value proposition for users who choose Apple’s ecosystem over more open alternatives. When a malicious app runs for six days inside that garden and drains $9.5 million, the promise has failed in a measurable, documented way.

Apple confirmed to Cointelegraph that the app was removed and the developer account terminated. That is the correct response. It is also insufficient as a standalone answer, because terminating one developer account does nothing to explain how the account passed review in the first place, and nothing to compensate the victims. The “SAS Software Company” account is gone. The $9.5 million is also gone. Those two facts do not cancel each other out.

ZachXBT publicly questioned Apple’s liability in the matter. That question deserves more than a press statement. Apple generates tens of billions of dollars annually from its App Store ecosystem, in part by charging developers a 15 to 30 percent commission while guaranteeing users a curated, safe experience. If that curation fails catastrophically for crypto users specifically, and repeatedly, the platform’s complicity, however passive, is worth examining hard.

Where the Money Went and Why It Matters

According to ZachXBT’s investigation, the stolen assets were routed through more than 150 KuCoin deposit addresses linked to a centralized mixing service identified as AudiA6. The structure is deliberate: fragment the funds across hundreds of addresses quickly, then redistribute through a centralized exchange that can aggregate and obscure origin. This is not amateur laundering. The operational speed, six days of theft and an immediate routing infrastructure ready to absorb the proceeds, implies either prior experience or a coordinated team, or both.

KuCoin’s involvement here is indirect but not irrelevant. The exchange paid more than $300 million in fines to US authorities in January 2025 to resolve anti-money laundering violations, and Austrian regulators have since blocked it from onboarding new EU users despite its MiCA authorization. The use of KuCoin-linked addresses as a laundering conduit in this incident, and in a separate case ZachXBT traced involving roughly 54 BTC, or approximately $3.7 million, stolen from Bitcoin Depot, adds another data point to a pattern regulators are already watching. ZachXBT’s prior work on Circle’s alleged USDC compliance failures demonstrates how post-incident fund tracing is becoming one of the most consequential forms of accountability in this industry.

Phishing Is Now the Primary Attack Vector, and the Data Proves It

The Ledger app incident sits inside a much larger structural shift that Hacken’s Q1 2026 report makes impossible to ignore. Web3 hacks generated $482 million in losses across 44 separate incidents during the first quarter. Phishing and social engineering alone accounted for $306 million of that total, dwarfing traditional smart contract exploits, which came to $86.2 million. Access control failures, including compromised private keys and cloud infrastructure breaches, contributed another $71.9 million.

A single hardware wallet phishing scam in January contributed $282 million to Q1 figures, which is more than half the quarterly total by itself. That event and the Ledger fake app share the same attack philosophy: do not break the code, break the user. The code is increasingly difficult to exploit directly. Human psychology is not. Sentiment, trust, and habit are far more reliable attack surfaces than Solidity logic at this point in the cycle.

Hacken also noted that at least six audited platforms still suffered losses in Q1, which is the industry’s recurring humiliation. Audits are a compliance artifact now, not a security guarantee. The threat is operating one full layer above where audits look. As long-running social engineering campaigns targeting DeFi protocols have demonstrated, the patience and sophistication of modern attackers has genuinely outpaced the industry’s defensive posture in the human layer.

Who Loses, Who Gains, What Happens Next

The victims are obvious. Fifty-plus individuals, including musician Garrett Dutton, who reported losing 5.9 BTC after entering his recovery phrase into the fraudulent app on April 12, are unlikely to recover their funds given the speed and fragmentation of the laundering operation. The structure designed around 150-plus KuCoin-linked addresses exists precisely to defeat recovery. Realistically, these losses are permanent.

Apple loses credibility in a segment it has never fully committed to protecting. The company’s review process is not built for adversarial crypto-native attack patterns, and there is no evidence that will change without regulatory compulsion. The EU’s MiCA and DORA frameworks are pushing harder on operational resilience and continuous monitoring, but neither directly compels Apple to overhaul App Store review for crypto wallet impersonation specifically. That gap will be exploited again.

Hardware wallet self-custody earns a complicated win here. The Ledger hardware device itself was never compromised. The attack required the victim to enter a seed phrase into a software application, bypassing the hardware entirely. Ledger’s security model held. Its brand took the hit anyway, which is the specific cruelty of impersonation attacks. The company’s name becomes the weapon used against its own users.

The clearest beneficiary, if you want to call it that, is the attacker’s playbook. Six days. $9.5 million. A developer account that cost nothing to create and has now been terminated. The economics of this attack are grotesque: the cost-to-yield ratio for the attacker is essentially perfect, and the downside, a terminated App Store account, is trivially absorbed. Until the asymmetry of consequences changes, until platform liability is real and launder-routing through compliant exchanges carries genuine risk for the exchange, this exact attack will repeat. The actors will change. The structure will not.

The market talks about security in code. The attackers have already moved on to security in behavior, and the gap between where the industry focuses its defenses and where the actual losses are happening is widening every quarter. Fifty-one people trusted a blue app icon with Ledger’s name on it. That is the whole attack. Until custody education becomes as standard as KYC onboarding, the human layer will remain the most profitable target in crypto.