A fake Ledger Live app listed on Apple’s Mac App Store drained 5.92 BTC – valued at approximately $420,000 – from musician Garrett Dutton, professionally known as G. Love, after the victim entered his 24-word seed phrase into the imposter application while setting up his hardware wallet on a new Apple computer.
Dutton disclosed the theft on April 11, 2026, via X, describing the loss as his full Bitcoin retirement savings, accumulated over roughly a decade. On-chain investigator ZachXBT subsequently confirmed the laundering path, tracing the stolen funds across nine transactions to deposit addresses at KuCoin.
We suspect this incident is less a story about one user’s misfortune and more a structural signal about the persistent failure of major app distribution platforms to screen fraudulent cryptocurrency wallet applications before they reach end users.
DISCOVER: Best Crypto to Buy Right Now
Fake Ledger App Store Listing, Seed Phrase Capture, and the On-Chain Trail to KuCoin
The mechanism functions as follows: the fraudulent application was listed on Apple’s Mac App Store under a developer account unaffiliated with Ledger, yet presented itself visually and functionally as the legitimate Ledger Live desktop client, the companion software Ledger hardware wallet users install to manage their devices and assets.
When Dutton downloaded the application and launched it during a device migration to a new Apple computer, the app immediately prompted him to enter his 24-word recovery phrase – a request the genuine Ledger Live software does not make during normal desktop setup, as seed phrase entry occurs exclusively on the physical hardware device.
Dutton complied, entering the phrase into the counterfeit application, which transmitted the credentials to the attackers. The mechanism by which the BTC was then extracted required no further interaction from the victim: possession of the seed phrase grants complete, irrevocable control over all associated wallet funds, independent of the hardware device itself.
ZachXBT’s tracing identified nine outbound transactions dispersing the 5.92 BTC to KuCoin deposit addresses, a laundering pattern consistent with prior fake-wallet campaigns where exchanges with less stringent deposit screening are used to rapidly convert stolen holdings.
At the time of the theft, the approximate dollar value was $420,000 based on a BTC price near $70,955. KuCoin had not issued a public statement regarding the traced deposits as of publication. Dutton clarified publicly that the attack was a function of social engineering through a deceptive application, not a flaw in the Ledger hardware device itself – a distinction that matters for how users should model the threat.
App Store Review Failures and the Recurring Scam Wallet Attack Surface
This is not the first time a counterfeit Ledger application has cleared an ostensibly supervised app store review process. In 2023, a fake Ledger Live app listed on Microsoft’s app store enabled attackers to steal nearly $600,000 in Bitcoin from multiple victims before the listing was removed.
In early 2025, cybersecurity firm Moonlock documented macOS-specific malware that silently replaced legitimate Ledger Live installations on users’ machines and prompted seed phrase entry through a spoofed interface. The recurring pattern – fake app, app store or filesystem delivery, seed phrase capture, immediate fund drainage – has persisted across platforms and years without a structural resolution.
Ledger has maintained a consistent public position that its software is distributed exclusively through ledger.com, and that no legitimate Ledger application will ever request a recovery phrase on a desktop or mobile interface.
Despite this, impostor apps continue to appear in App Store search results under non-Ledger developer accounts, exploiting the trust users extend to Apple’s review infrastructure. We suspect Apple’s app review process – designed primarily to assess functional safety and policy compliance – is structurally ill-equipped to detect semantic impersonation of hardware wallet interfaces, where the deception lies not in malicious code execution but in a fraudulent user interface that solicits sensitive credentials.
The broader context for self-custody holders is that sophisticated theft operations targeting crypto holders increasingly combine social engineering with distribution infrastructure that carries implicit legitimacy – an app store listing, a realistic interface, a plausible setup flow. The attack surface is not narrowing.
EXPLORE: Best meme coins to watch – CoinSpeaker’s updated rankings
next
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
Daniel Frances is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. A crypto native since 2017, Daniel leverages his background in on-chain analytics to author evidence-based reports and deep-dive guides. He holds certifications from The Blockchain Council, and is dedicated to providing “information gain” that cuts through market hype to find real-world blockchain utility.
Source: https://www.coinspeaker.com/fake-ledger-app-apple-store-drains-btc/
