Apple has removed a counterfeit Ledger Live application from its Mac App Store after the fake software drained about $9.5 million from more than 50 users, exposing a serious gap in how security-sensitive crypto apps can still reach mainstream distribution channels. Available for roughly a week, from April 7 to April 13, 2026, the fraudulent app turned a trusted storefront into an attack surface for self-custody users.
The scheme worked by mimicking Ledger Live closely enough to persuade users to enter their 24-word recovery phrases, the one step that instantly collapses the protections of a hardware wallet. Once those phrases were handed over, attackers gained lasting access to the affected wallets and moved assets including Bitcoin, Ethereum, Solana, Tron, XRP, USDT, USDC and stETH. In one of the reported cases, a musician lost 5.92 BTC, valued at about $420,000 to $447,000, which was described as a decade of savings erased through a single act of disclosure.
The Theft Spread Quickly, Then Disappeared Into the Laundering System
After the assets were taken, the funds were funneled through more than 150 KuCoin deposit addresses and then routed into AudiA6, a centralized mixing service used to make tracing more difficult. That laundering path reinforced how quickly attackers can turn seed-phrase theft into a multi-chain extraction and then into a cross-platform concealment effort. In this case, the fraud did not stop at wallet compromise but moved almost immediately into an organized laundering pipeline.
Blockchain investigator ZachXBT highlighted the incident as a clear example of how attackers exploit trust in official software channels to bypass the safeguards users believe self-custody provides. Ledger chief technology officer Charles Guillemet repeated the company’s standing warning that Ledger never asks users for their 24-word recovery phrase and that any software requesting it should be treated as hostile. The message is blunt because hardware security becomes meaningless the moment a recovery phrase is surrendered to a fake interface.
The App Is Gone, but the Hard Part Starts Now
The app’s removal stopped additional installations, but it did little to reverse the damage already done. KuCoin has indicated that any intervention would require formal legal proceedings, underscoring how limited recovery options become once stolen assets pass through licensed exchanges and mixing services across jurisdictions. That procedural barrier shows why asset tracing is often faster than asset recovery, especially in cross-border crypto theft cases.
The incident is now feeding broader scrutiny of platform responsibility. Although the theft depended on user disclosure of sensitive credentials, the fact that the malicious software was distributed through Apple’s own marketplace has raised fresh questions about app review standards and the level of care applied to products tied to high-value financial access. Legal experts cited in connection with the case have suggested the scale of the losses could lead to private litigation focused on whether App Store controls were adequate for software capable of exposing users’ life savings.
The case is a reminder that once stolen crypto begins moving through custodial venues and laundering layers, response windows narrow fast. The broader consequence is likely to be renewed pressure on major app stores to tighten wallet-app vetting and coordinate faster when crypto theft begins through impersonation software.