Most people don’t think twice when downloading an app from the Apple App Store. That built-in trust is exactly what attackers leaned on in this case.
A fake version of Ledger Live appeared where users expected the real one to be, blending in almost perfectly. From the outside, everything looked normal. But in the background, the app was designed to capture sensitive information and hand control of users’ wallets to attackers. In just a few days, that small deception led to the draining of about $9.5 million in crypto.
How did the fake Ledger app drain money from users?
The attack itself wasn’t complicated, which is part of what made it so effective. Once users opened the fake app, they were prompted to enter their recovery phrase. That phrase is supposed to remain private at all times because it’s the only thing that grants complete control over a crypto wallet.
Many users entered it without hesitation, trusting the app because it came from an official store. Within moments, attackers could access their wallets and move funds out. The losses added up quickly. Transactions traced across Bitcoin, Ethereum, Solana, Tron, and XRP show how widespread the damage was. Some victims lost life-changing amounts in a single transaction.
One user shared their experience publicly, writing, “I lost my retirement fund in a hack/scam… All my BTC is gone in an instant.”
I had a really tough day today I lost my retirement fund in a hack/Scam when I switched my @Ledger over to my new computer and by accident downloaded a malicious ledger app from the @Apple store. All my BTC gone in an instant.
— G. Love (@glove) April 11, 2026
Blockchain investigator ZachXBT later traced one of the largest thefts, showing how 5.92 BTC was quickly moved through a chain of transactions before ending up in deposit addresses linked to KuCoin.
The pattern matched a wider laundering flow seen across the incident, where stolen funds were rapidly broken up and routed through multiple wallets. Apple and KuCoin did not immediately respond to requests for comment.
Jeminipe Fasheun-Motesho
Where the stolen funds went
After the funds were taken, they didn’t sit still. Investigations linked the stolen crypto to wallets associated with KuCoin, where the assets were moved through multiple deposit addresses.
From there, the trail pointed to a laundering service known as AudiA6, which is used to make it harder to track transactions. This kind of setup isn’t new, but the speed and coordination seen in this case stood out.
The movement of funds through centralized exchanges also raises questions about monitoring and detection, especially when large amounts are flowing through in a short time.
How did the fake Ledger app pass Apple’s review?
One of the most troubling parts of this story isn’t just the scam itself, but where it happened. The Apple App Store is known for strict review processes, which is why many users trust it more than other platforms. That trust is what made this attack so effective. The fake app looked legitimate, followed expected design patterns, and appeared in a place people associate with safety.
Apple has since removed the app, but the bigger question remains. How did it get approved in the first place, and how long was it available before being flagged? Those are the kinds of questions that often come up after incidents like this, especially when real money is involved.
This incident leaves behind more than financial loss. It also challenges a basic assumption many people have about digital platforms. Just because something appears in a trusted space does not always mean it is safe.
Louis Eriakha
