Fake Ledger App in the App Store: How Scammers Stole $9.5M and How to Protect Your Wallet

Fake Ledger App in the App Store: How Scammers Stole $9.5M and How to Protect Your Wallet

Garrett Dutton played blues under the name G. Love for over thirty years. Over that time he built a following worldwide and set something aside for retirement – 5.9 bitcoin, roughly $420,000 at April 2026 prices. He called those coins his retirement fund. In April he downloaded an app from the App Store, entered his seed phrase – and within minutes lost everything he had saved.

Dutton's story made headlines not because he is a celebrity, but because he is not alone. Blockchain investigator ZachXBT counted more than 50 victims who collectively lost $9.5M. The funds drained from Bitcoin, Tron, and Solana wallets and landed at addresses linked to a mixer that uses KuCoin.

This was not some dark corner of the internet. This was Apple's official App Store.

What happened: a fake Ledger Live in Apple's store

Ledger is a French company that makes some of the most popular hardware wallets in the world. The official Ledger Live app is designed to manage Ledger devices: checking balances, sending transactions, updating firmware. The app is free, and its official version is available directly from the company's website.

Scammers created a clone – a visually indistinguishable copy of Ledger Live – and somehow passed Apple's review. The app appeared in the Mac App Store and stayed there long enough to claim dozens of victims. According to ZachXBT, the campaign ran for about a week.

The scheme worked through seed phrase phishing. The app looked like the real Ledger Live and prompted users to enter their 24-word mnemonic phrase – supposedly for "synchronization" or "access recovery." The moment a victim entered the words, the attackers gained full control of the wallet and immediately drained the funds.

"Garrett Dutton's 5.9 Bitcoin has already been sent to deposit addresses associated with KuCoin" – ZachXBT, April 2026

Apple responded after the public scandal: the app was removed and the developer was banned from the App Store program. In a comment to Cointelegraph, the company confirmed the removal. But the question of why the fake passed review – and how long it took to act – remained without a clear answer.

Why App Store moderation did not stop the scammers

Apple has spent years positioning its store as a secure ecosystem – unlike Android, where apps can be installed from third-party sources. That trust worked against users: many had no doubt about the app's legitimacy simply because they found it in the official store.

Exactly how the fake passed review is still unclear. App Store moderation combines automated checks with manual review, but focuses primarily on code security rather than developer intent. An app that simply displays a word-entry form and sends the input to a server may technically contain no "malicious code" in the traditional sense.

The scammers may also have used several tactics to bypass review:

• Submitting a harmless version first, then updating functionality after approval
• Using a name close to the original without technically violating trademark rules
• Targeting a small audience to avoid attracting attention through user reports

ZachXBT publicly raised the question of Apple's accountability. If the platform takes a cut from developers and markets its moderation as user protection – does it bear any responsibility for losses that moderation failed to prevent? There is no legal answer yet, but the reputational damage is clear.

Where the money went: Bitcoin, Tron, Solana, and the mixer trail

The way the scammers moved the funds deserves particular attention. ZachXBT traced the money and found that the stolen assets – in Bitcoin, Tron, and Solana – passed through a mixer linked to KuCoin. This is a standard rapid-anonymization scheme: funds are broken into small amounts, shuffled through many addresses, and then withdrawn to an exchange where they are harder to trace.

KuCoin itself is not at fault here – the attackers used addresses associated with the exchange, not the platform itself. But the trail matters: it shows the criminals had a pre-built laundering infrastructure rather than improvising. This was not a random hack but an organized group with a clear plan.

This is precisely why checking addresses through AML tools matters – especially when receiving funds from unknown sources. If an address has already appeared in laundering schemes, a good AML scanner will flag it. We have an AML checker on our portal – it checks addresses on Bitcoin and other blockchains against databases of known fraudulent wallets and high-risk sources.

The core mistake victims made: a seed phrase is never entered into an app

This sounds obvious, but it is a mistake that gets repeated over and over – even by experienced users. A seed phrase (a mnemonic of 12 or 24 words) is the master key to a wallet. Whoever has those words owns the coins. Full stop.

The real Ledger Live never asks for a seed phrase. Never. This is a fundamental principle of how hardware wallets work: private keys never leave the device, and the seed phrase is only needed to physically restore a wallet on a new device – entered on the device itself, not in software on a computer.

If an app asks for a seed phrase, it is a scam. It does not matter what it looks like or where it was downloaded from. No exceptions.

What to remember about seed phrases

• Never enter a seed phrase into software on a computer or phone
• Never photograph it or store it digitally
• Never share it with anyone – including support staff
• Store it only on paper or a metal backup in a secure location

How scammers chose their victims

Hardware wallets are used by people who already understand crypto. These are not newcomers who bought their first $100 on an exchange – these are holders who deliberately chose cold storage to protect significant sums. That is why the average loss per victim was so high: $9.5M across 50+ victims works out to nearly $190,000 per person on average.

The scammers went where the money was. They knew that Ledger users are not casual holders. And they knew that trust in Apple's ecosystem creates a false sense of security.

G. Love likely believed that using a hardware wallet and downloading an app from the official store meant he was safe. This is the classic trap: someone makes the right decision (hardware wallet) and then makes one critical mistake at the final step.

The question for Apple: who is responsible

After ZachXBT's posts and a wave of media coverage, Apple quickly removed the app and closed the developer's account. But that is not an answer to the systemic question.

The App Store is not just an app directory. It is a curated ecosystem that Apple charges developers 30% of revenue and an annual membership fee to access. The company sells trust as a product. The tagline "We review every app" is not just marketing – it is a safety promise.

When that promise is broken and users lose real money, a reasonable question follows: can a victim seek compensation from Apple? Right now – almost certainly not. App Store terms of service remove the company's liability for third-party app content. But regulatory pressure on platforms over content liability is growing worldwide, and this incident is another data point for those who argue large platforms should bear more accountability.

ZachXBT asked directly: is Apple responsible for the $9.5M in stolen funds? He received no answer.

This is not the first time: a history of phishing through app stores

The Ledger case is not unique. For several years, fake versions of popular crypto wallets and asset management apps have surfaced periodically in both the App Store and Google Play. Moderation catches them – but not always quickly, and not always before users are harmed.

In 2021, a similar incident occurred with a fake Trezor app – another well-known hardware wallet manufacturer. In 2023, cases were recorded involving counterfeit MetaMask and Trust Wallet apps. The scheme is roughly the same each time: a convincing visual copy, a request for the seed phrase or private key, and immediate fund withdrawal.

The crypto industry responds in different ways. Ledger regularly warns users: the app should be downloaded only from the official site ledger.com, not from app stores where oversight is weaker. But most people do not know this – or do not think about it when they see a convenient "Install" button in a familiar interface.

How to verify you are using the real app

Concrete steps for anyone who uses hardware wallets or is planning to:

For Ledger users

• Download Ledger Live only from the official site ledger.com – nowhere else
• Verify the digital signature of the installer if downloading on Windows or Linux
• Do not install Ledger Live from the App Store or Google Play – the company officially recommends the website
• Regularly check official Ledger channels for warnings about fakes

General security rules for any crypto wallet

• A seed phrase is never entered into software
• Before installing any crypto-related app, check the developer: name, publication date, number of reviews
• Be skeptical of apps with few reviews or a recent publication date
• Use a dedicated device for large holdings
• Regularly check addresses against fraudulent wallet databases

Tools that help you stay protected

We have put together several tools that make working with crypto safer – not only in the context of this incident.

AML address checks. Before accepting a transfer from an unknown source or sending funds to a new address, check its history. Our AML checker analyzes addresses on Bitcoin, Ethereum, Tron, and other blockchains and shows whether an address is connected to known fraud schemes, mixers, or sanctions lists. This kind of tool would have identified the addresses where victims' funds ended up – though in this case they were the final recipients, not the senders.

Exchange comparisons. Some of those affected likely held assets in hot wallets and used exchanges to manage their portfolios. Choosing a reliable exchange is also part of security. In our exchange review section we have compiled current ratings of major platforms, factoring in their security policies, insurance funds, and incident history.

Portfolio management. Spreading assets across different wallets and platforms reduces risk. If everything is in one place, a single mistake can cost you everything. Our portfolio tracker helps monitor assets across different addresses and exchanges in one interface, without transmitting private keys.

Why hardware wallets are still the best option

The fake Ledger story might create the impression that hardware wallets are unreliable. That is not the case. The hardware wallet itself – the device – was never compromised. G. Love's private keys did not leak from his Ledger Nano. He lost his funds because he entered his seed phrase into a third-party app – in effect handing the keys to the scammers himself.

A hardware wallet works precisely because it keeps keys offline. If a user follows basic security rules – never entering the seed phrase digitally, never installing unverified software – their funds are safe even if their computer is infected with malware.

The problem is not the technology. The problem is the human factor and the platforms that take on a gatekeeper role but fail to fulfill it.

What this incident says about the maturity of the industry

Crypto has come a long way from bitcoin forums to mainstream financial products. But as the audience grows, so does the appeal to scammers. $9.5M stolen from 50+ people in a week is not a minor incident. It is an organized campaign with prepared infrastructure, exploiting trust in a major technology company.

The industry responds in different ways. Some call for greater platform accountability. Others return to the basics: not your keys, not your coins – and never trust an app with your seed phrase. Both positions are correct, and they do not contradict each other.

While regulators and platforms sort out liability, every user can protect themselves. It takes knowledge and attention – but not developer-level technical skills.

What to do right now

If you have a hardware wallet, check where you downloaded the companion app from. If it came from an app store rather than the manufacturer's official website, delete it and re-download from the correct source. You do not need to enter your seed phrase anywhere in the process.

If you are considering moving to cold storage, it remains the best way to protect large holdings. The key is to learn the rules once rather than trusting the first app that looks like the real thing.

You can check your addresses for risk right now in our AML checker. And if you are choosing a wallet or want to compare storage options, visit our wallet review section – we have compiled current ratings of hardware and software solutions factoring in security, usability, and supported networks.

G. Love lost his retirement fund because of a single mistake that took seconds. The story is painful – but it shows clearly where the line between security and catastrophe runs. That line runs through the seed phrase.