Fake Ledger Live App on Mac App Store Steals $9.5 Million in Cryptocurrency
In April 2026, a counterfeit version of the Ledger Live application appeared on the macOS App Store, leading to the theft of approximately $9.5 million in cryptocurrency from unsuspecting users. This incident underscores the persistent risks associated with digital assets and highlights vulnerabilities within trusted platforms.
The Deceptive Application
The fraudulent app was submitted by an entity named Leva Heal, which has no affiliation with Ledger SAS, the legitimate developer of the Ledger Live app. Once downloaded, the fake application prompted users to enter their seed and recovery phrases—sensitive information that grants full access to cryptocurrency wallets. By obtaining these phrases, the perpetrators were able to transfer funds from victims’ wallets to their own accounts.
Extent of the Theft
Between April 8 and April 11, 2026, at least 50 macOS users fell victim to this scam. Notably, three individuals suffered significant losses:
– $3.23 million
– $2.08 million
– $1.95 million
The cumulative losses amounted to approximately $9.5 million before Apple removed the deceptive app from the App Store.
Mechanism of the Scam
Blockchain investigator ZachXBT revealed that the scammers utilized multiple wallet addresses to receive stolen funds across various cryptocurrencies, including Bitcoin, Ethereum, Tron, Solana, and Ripple. To obscure the origins of the stolen assets, the funds were laundered through over 150 deposit addresses on the KuCoin platform, allegedly with assistance from a laundering service known as AudiA6.
Response from KuCoin
In response to the illicit activities, KuCoin froze the accounts implicated in the laundering scheme. These accounts are set to remain frozen until April 20, pending further instructions from authorities. This action reflects KuCoin’s ongoing efforts to address regulatory concerns, especially following previous settlements for anti-money laundering violations in 2025, which resulted in payments exceeding $300 million to U.S. authorities.
Official Ledger Statement
Charles Guillemet, Chief Technology Officer of Ledger, emphasized the importance of safeguarding recovery phrases. He stated, The real app will never ask for your 24 words. If anyone, or any app, is asking for your 24 words, assume something is wrong. Guillemet further advised users to keep their private keys on dedicated hardware devices with secure screens, such as Ledger signers, and to avoid entering seed phrases into any app or website.
Understanding the 24-Word Recovery Phrase
The 24-word recovery phrase, also known as a seed phrase, is a unique sequence generated during the initial setup of a cryptocurrency wallet. This phrase serves as the master backup for a user’s private keys, enabling the restoration of the wallet and access to its funds. Compromising this phrase effectively grants full control over the associated assets.
Implications for Cryptocurrency Users
While Ledger Live boasts over 1.5 million active users worldwide as of 2023, only a small fraction—50 users—were deceived by the counterfeit macOS app. Nonetheless, the substantial financial losses incurred highlight the critical need for vigilance when managing digital assets.
Recommendations for Users
For those who downloaded Ledger Live from the macOS App Store, it is strongly recommended to delete the application immediately. The official Ledger Live macOS app, now referred to as Ledger Wallet, is available exclusively through the Ledger SAS website. Downloading software directly from official sources is paramount to ensuring the security of cryptocurrency holdings.
Apple’s Position
As of now, Apple has not issued a public statement regarding this incident. The company’s silence raises questions about the effectiveness of its App Store review process and the measures in place to prevent such fraudulent applications from reaching users.
Historical Context
This event is not an isolated case. The App Store has previously been infiltrated by malicious cryptocurrency apps. For instance, in February 2024, a fake app impersonating the Rabby Wallet service was discovered, leading to significant financial losses for users. Similarly, in March 2024, an app named Leather Wallet & Hiro Bitcoin was accused of stealing $120,000 from a single user. These recurring incidents underscore the ongoing challenges in maintaining the integrity of app marketplaces.
Broader Implications
The proliferation of fake cryptocurrency apps poses a significant threat to the digital asset community. These scams not only result in substantial financial losses but also erode trust in both cryptocurrency platforms and the app stores that host them. It is imperative for both users and platform providers to exercise heightened scrutiny and implement robust security measures to mitigate these risks.
Conclusion
The recent theft of $9.5 million through a counterfeit Ledger Live app on the macOS App Store serves as a stark reminder of the vulnerabilities inherent in the digital asset space. Users must remain vigilant, verify the authenticity of applications, and adhere to best practices for securing their cryptocurrency holdings. Simultaneously, platform providers like Apple must enhance their review processes to prevent malicious apps from reaching users and causing financial harm.
