Dozens of crypto users say a fake ledger app on the Apple App Store wiped out their savings, with losses tied to a broader, sophisticated theft scheme.
Summary
Victims report retirement savings lost to fake Ledger Live
A bogus version of Ledger Live, distributed via Apple‘s official marketplace, has been linked to at least $9.5 million in crypto theft between April 7 and April 13. Moreover, victims are now coming forward describing catastrophic losses, including entire retirement funds erased “in an instant.”
One victim, posting on X under the handle @glove, said he lost 5.9 BTC — his entire savings accumulated over a decade — after installing what he believed was the official wallet management app on a new computer. He wrote that he had “lost my retirement fund in a hack/scam… All my BTC gone in an instant.”
Blockchain investigator ZachXBT later traced the stolen 5.92 BTC, showing it was rapidly moved through a series of transactions into KuCoin deposit addresses. However, that flow appeared consistent with a broader laundering pattern connected to the same fake application.
$9.5 million stolen across multiple blockchains
X user @glove was not the only victim. The phishing campaign, which remained active from April 7 to April 13, targeted users across Bitcoin, Ethereum-compatible networks, Tron, Solana and XRP. In total, more than 50 suspected victims have been identified so far.
Three of the largest victims each suffered seven-figure losses. On April 9, attackers stole $3.23 million in USDT. On April 11, they drained another $2.08 million of USDC. That said, on April 8, a further $1.95 million denominated in BTC, ETH and stETH was removed from wallets linked to the same scheme.
According to early reports, the malicious interface prompted users to enter their recovery phrase directly into the application. Once victims entered their seed phrase, attackers gained full control over the associated wallets and could immediately transfer funds to external addresses.
Laundering flows through KuCoin and AudiA6
On-chain analysis shows stolen funds were routed through more than 150 KuCoin deposit addresses. Moreover, investigators linked these flows to AudiA6, a centralized crypto mixing service reportedly known for charging high fees to help obfuscate illicit transactions.
The use of a major centralized exchange as a laundering hub is striking, especially given KuCoin’s recent regulatory issues. In February 2026, Austrian regulators barred the platform from onboarding new EU users, only months after it had received a MiCA license. Additionally, in 2025, KuCoin paid over $300 million to U.S. authorities to settle alleged anti-money laundering violations.
The pattern underscores how crypto theft laundering operations increasingly blend centralized services and off-chain entities to complicate asset recovery. However, the clear trail of kucoin deposit addresses may aid future law enforcement efforts if authorities pursue the case aggressively.
Apple App Store scrutiny and potential legal fallout
Apple has removed the fake Ledger Live listing from the apple app store. However, questions persist about how the malicious apple app store application passed review, how long it was available, and what internal safeguards failed during the vetting process.
The scale of losses, combined with the fact that the malware was distributed via the official app store of apple, could expose the company to legal risk. Some observers already suggest that the incident may provide grounds for a class-action lawsuit, arguing that users reasonably relied on Apple’s curated marketplace for security.
That said, proving direct liability for third-party software remains complex, and legal outcomes will likely depend on jurisdiction, user agreements, and any future disclosures from Apple about its review processes.
Phishing wallet recovery remains a growing threat
The campaign reflects a broader pattern that has troubled the crypto sector in recent years. In 2025, crypto investors lost around $17 billion to hacks and scams, with social engineering and phishing wallet recovery tactics among the most effective attack vectors.
Criminals increasingly imitate legitimate wallet interfaces, using fake ledger app branding, app icons and convincing user flows to trick holders into entering their recovery phrases. Moreover, these schemes routinely exploit trusted channels, such as app stores, email alerts, or text messages, to lower victims’ guard.
Security experts stress that no legitimate hardware wallet provider will ever ask users to type their full seed phrase into a desktop or mobile app. However, once that rule is broken, there is rarely any path to recover stolen assets.
Human cost for victims
For those affected, the financial and emotional damage is immediate and profound. “I worked ten years for this,” one victim wrote, describing the loss of long-term savings that had been carefully accumulated over a decade.
Moreover, many victims had believed that using hardware wallets and official-looking applications offered strong protection from online attacks. The incident now highlights that even diligent self-custody practices can fail if attackers compromise trusted distribution channels like the apple store app store.
In the aftermath, the crypto community is again urging users to verify app publishers, download only from verified links on official wallet websites, and treat any request for a full seed phrase as an immediate red flag.
Ultimately, the fake ledger app episode underscores the ongoing tension between usability and security in crypto, showing how a single malicious application can erase years of savings in a matter of days.
