A counterfeit Ledger Live app briefly listed on Apple’s App Store stole about $9.5 million from more than 50 victims between April 7 and April 13, 2026, turning one of crypto’s oldest security warnings into a fresh, large-scale loss event. The attack was effective because it did not break hardware wallets directly; it tricked users into surrendering the recovery phrases that control them.
The fake app, published under the name “Leva Heal Limited,” closely imitated Ledger’s interface and user flow. It asked victims to complete familiar actions such as wallet synchronization or device migration, then prompted them to enter a 12- or 24-word recovery phrase. Once that phrase was submitted, attackers gained full access to wallets across multiple blockchains. What made the scheme especially dangerous was its ability to weaponize the trust users place in official app marketplaces.
A Multi-Chain Theft Routed at High Speed
Onchain investigator ZachXBT linked the campaign to several major thefts within a matter of days. Among the largest were a $3.23 million USDT theft on April 9, a $2.08 million USDC theft on April 11 and a $1.95 million loss in BTC, ETH and stETH on April 8. The scale of the individual incidents showed that a single compromised seed phrase could be turned into a multi-million-dollar extraction almost immediately.
The losses were not limited to anonymous wallets. Musician G. Love said he lost 5.92 BTC, which he described as his life savings built over a decade. That detail gave the case a human dimension that often disappears behind transaction totals, underscoring that seed-phrase attacks do not just drain balances; they can erase years of personal financial accumulation in one step.
Ledger chief technology officer Charles Guillemet used the incident to restate a hard security truth: “You cannot trust the software environment around you, not your browser, not your app store, not your desktop.” The point is uncomfortable but central. Hardware security fails the moment a user is persuaded to export trust back into a compromised software layer.
The Broader Failure Was Trust in Distribution
The app reportedly tried to strengthen its legitimacy by presenting a fake version history that jumped quickly from 1.0 to 5.0, creating the impression of an actively maintained product. That detail suggests the fraud was not only visual but behavioral, designed to mimic the small cues users associate with authentic software. The impersonation worked because it copied process as well as appearance.
After the funds were taken, they were reportedly moved through more than 150 KuCoin deposit addresses and routed into a centralized mixing service known as AudiA6, which ZachXBT linked to the laundering flow. The speed and breadth of that routing pattern showed how quickly attackers can move from theft to obfuscation once victims hand over control. By combining trusted distribution, social engineering and fast laundering, the attackers compressed the entire fraud cycle into days.
The incident has intensified scrutiny of how the app cleared Apple’s review process and remained available for nearly a week before removal. It also sharpens operational lessons for users, exchanges and wallet providers alike. For individuals, the rule remains absolute: never enter a recovery phrase into an app or website. For platforms, the case reinforces the need for faster takedown coordination and closer monitoring of suspicious deposit patterns tied to likely illicit flows. The real lesson is that marketplace legitimacy is no longer a reliable proxy for software safety in crypto.