Apple App Store Hosted Fraudulent Ledger Live Application That Stole $9.5M, Reports ZachXBT
Blockchain investigator ZachXBT reveals that a fraudulent Ledger Live application on Apple's App Store is connected to cryptocurrency thefts totaling $9.5 million, with over 50 victims' assets traced to a KuCoin-associated mixer while raising concerns about Apple's accountability.
Blockchain sleuth ZachXBT has reported that a fraudulent Ledger Live application available on Apple's App Store was connected to approximately $9.5 million worth of cryptocurrency thefts from over 50 individuals believed to be victims during the period spanning April 7 through April 13.
Through a Telegram message posted on Tuesday, ZachXBT indicated that the purported thefts impacted individuals using Bitcoin, Solana, Tron, XRP Ledger and Ethereum Virtual Machine (EVM)-compatible blockchain networks. According to his claims, the pilfered cryptocurrency was cleaned through more than 150 deposit addresses on KuCoin that were allegedly connected to AudiA6, a service he characterized as a centralized cryptocurrency mixer.
According to ZachXBT, Apple removed the fraudulent application from its platform on April 13, and he detailed three instances of seven-figure thefts among the most significant known incidents. He stated that one individual suffered losses of approximately $1.95 million in Bitcoin (BTC), staked Ether (stETH) and Ether (ETH), while another person lost $3.23 million in USDt (USDT) on April 9, and a third individual experienced losses of roughly $2 million in USDC (USDC) on April 11.
ZachXBT indicated that KuCoin has experienced a rise in illegal activity in recent times, and highlighted that the exchange had been prohibited from accepting new European Union customers in February, which occurred soon after obtaining its Markets in Crypto Assets Regulation (MiCA) license. Additionally, he raised questions regarding whether this situation could provide grounds for a class action lawsuit against Apple.
Important information, including the aggregate losses, number of victims and money laundering pathway, continues to be based on ZachXBT's investigation and had not been verified by Apple or KuCoin at the time of publication. Cointelegraph reached out to both organizations for commentary but had not received any replies by publication.
Ledger warns users never to enter seed phrase into apps
Charles Guillemet, chief technology officer at Ledger, provided a statement to Cointelegraph indicating that the company does not request users to provide their 24-word recovery phrase under any circumstances and cautioned that software environments that appear official should not be assumed to be inherently secure.
You cannot trust the software environment around you – not your browser, not your app store, not your desktop
Charles Guillemet, Ledger CTO
Guillemet stated, further noting that malicious actors "operate wherever the opportunity exists," which includes official distribution platforms.
This most recent incident comes after a similar but smaller case that was disclosed on Monday. Garrett Dutton, a musician who performs under the stage name "G. Love," reported that he suffered losses of approximately $420,000 in BTC following his download of a malicious application masquerading as Ledger Live from Apple's App Store and subsequently entering his seed phrase. ZachXBT indicated that the stolen cryptocurrency was transferred to deposit addresses linked to KuCoin.