Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 16, 2026 · 5 min read

A Fake Ledger App Passed Apple's Review and Stole $9.5 Million in Crypto

A counterfeit Ledger Live app sat in Apple's Mac App Store for nearly a week. It stole recovery phrases from 50 victims and drained wallets across five blockchains.

A MacBook laptop displaying an app store page next to a hardware crypto wallet device, with cool blue ambient lighting suggesting digital danger

What Happened

Between April 8 and 13, 2026, a counterfeit version of Ledger Live, the companion app for Ledger hardware wallets, was available for download on Apple's Mac App Store. It was published under the name "Leva Heal Limited," an account with no connection to the real Ledger development team.

The app looked legitimate. It mimicked the real Ledger Live interface closely enough that users had no reason to suspect it was fake. After installation, it prompted users to enter their seed phrase, the 24 word recovery key that provides complete access to every cryptocurrency wallet associated with the device.

In six days, the attackers stole $9.5 million from at least 50 victims across Bitcoin, Ethereum, Tron, Solana, and Ripple. Apple removed the app after user reports, but has not publicly commented on how it passed the App Store review process.

The Biggest Victims

Blockchain investigator ZachXBT traced the stolen funds and documented the scale of individual losses:

  • $3.23 million in USDT stolen on April 9, the single largest theft
  • $2.08 million in USDC drained on April 11
  • $1.95 million in BTC, ETH, and stETH taken on April 8
  • $430,000 in Bitcoin stolen from musician G. Love, who lost 5.9 BTC

Three victims lost seven figure sums within 72 hours. Because the attackers had the seed phrases, they had unrestricted access to every wallet ever created with those recovery keys, not just the assets visible in the app at the time of the theft.

How the Money Disappeared

The stolen cryptocurrency was routed through more than 150 deposit addresses on the KuCoin exchange, then laundered via a centralized mixing service known as AudiA6. This service obscures the connection between source and destination wallets by combining transactions from multiple users, making it extremely difficult to trace funds back to the theft.

KuCoin has frozen the associated accounts through April 20, but the freeze will only be extended if law enforcement formally requests it. Given the cross jurisdictional nature of cryptocurrency theft, the chances of victims recovering their funds are slim.

Apple's App Store Review Failed

The most troubling aspect of this incident is not the scam itself, which is a well known attack pattern, but that Apple's review process approved it for distribution. Apple markets the App Store as a curated, secure environment where apps undergo rigorous review before being made available to users. That promise is a core part of Apple's value proposition and its justification for controlling the only official distribution channel on its platforms.

A cryptocurrency wallet app that asks users to enter their seed phrase is, by definition, a scam. No legitimate wallet app ever asks for this information. The fact that a fake Ledger app requesting seed phrases passed Apple's review and remained available for nearly a week suggests either the review process missed obvious red flags, or the app initially behaved legitimately and was updated with malicious functionality after approval.

This is not an isolated incident. Earlier this year, malicious apps in both the App Store and Google Play were caught scanning users' photos to steal crypto wallet information. The pattern suggests that app store review processes across all platforms remain fundamentally inadequate for detecting financial fraud.

How to Protect Yourself

If you use a hardware cryptocurrency wallet, these rules are non negotiable:

  • Never enter your seed phrase into any app or website. Your recovery phrase should only ever be written on paper and stored offline. No legitimate wallet software, exchange, or support representative will ever ask for it.
  • Download wallet software only from the manufacturer's official website. Do not search for "Ledger Live" in the App Store. Go to ledger.com directly and follow their download links.
  • Verify the publisher name. If you do find a wallet app in an app store, check the publisher. "Leva Heal Limited" is obviously not Ledger. The real publisher is "Ledger SAS."
  • Use a hardware wallet's built in display for verification. Legitimate Ledger transactions require confirmation on the device's physical screen. If an app is asking for your seed phrase instead of using the device connection, it is a scam.
  • Enable all available security features. Use a passphrase (sometimes called the "25th word") on top of your seed phrase for an additional layer of protection.

The Limits of "Walled Gardens"

Apple's closed ecosystem is built on the promise that its review process protects users from malicious software. When that promise fails, users who trusted the platform's curation bear the cost. In this case, that cost was $9.5 million stolen in under a week.

The lesson is uncomfortable but necessary: app store approval is not a guarantee of safety. It is a filter that catches most threats but lets some through. For high value targets like cryptocurrency wallets, where a single mistake can result in irreversible financial loss, the only reliable defense is user vigilance. No platform can substitute for the rule that your seed phrase never, under any circumstances, gets typed into a screen.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.