A sophisticated phishing scheme exploiting Apple’s Mac App Store has resulted in the theft of approximately $9.5 million in cryptocurrency, according to blockchain investigator ZachXBT, who published his findings on Tuesday. The attack, which targeted users of the popular Ledger hardware wallet, unfolded between April 7 and April 13, 2026 — nearly a full week before Apple removed the fraudulent application.

The malicious app posed as Ledger Live, the official companion software for Ledger hardware wallets, a product well known among cryptocurrency holders for its security credentials. Victims who downloaded the fake application were prompted to enter their 24-word seed phrase — the master key to any cryptocurrency wallet — under the guise of “restoring” their wallet. Once entered, attackers used the phrase to reconstruct victims’ wallets on separate devices and systematically drain funds.

How the Scam Worked

The attack relied on a critical gap in app availability: while Ledger does offer a Mac desktop application, it distributes that software exclusively through its own website — not through the Mac App Store. Threat actors exploited this gap by publishing a convincing impersonation on the official Apple storefront, where unsuspecting users would reasonably expect to find legitimate software.

Security Note

The real Ledger Live application never asks users to enter their seed phrase. Any app or website requesting those 24 words should be treated as an immediate red flag, regardless of where it appears — including official app stores.

Once a victim entered their recovery phrase, attackers reconstructed the wallet on a separate device and began systematically draining assets. Stolen funds were routed through more than 150 deposit addresses on KuCoin cryptocurrency exchange, and then funneled into a centralized mixing service called AudiA6 — a platform known for laundering illicit cryptocurrency for high fees, according to ZachXBT’s on-chain analysis.

Scale of Individual Losses

The theft affected holders across multiple blockchain networks, including Bitcoin, Ethereum, Solana, Tron, and Ripple. Three victims alone lost seven-figure sums within a four-day window:

Date Asset Amount Lost
April 8 BTC, ETH & stETH $1.95 million
April 9 USDT (Tether) $3.23 million
April 11 USDC (Circle) $2.08 million

Among the confirmed victims is American musician Garrett Dutton, known professionally as G. Love, who publicly disclosed on X (formerly Twitter) that he lost 5.92 BTC — nearly $500,000 at current prices — representing his entire retirement savings accumulated over roughly a decade. “I lost my retirement fund in a hack/scam… All my BTC gone in an instant,” Dutton wrote. ZachXBT subsequently traced the stolen Bitcoin through a series of transactions into KuCoin deposit addresses consistent with the broader laundering pattern.

“Ledger will never ask for your 24 words. If anyone, or any app, is asking for your 24 words, assume something is wrong.”
— Charles Guillemet, Chief Technology Officer, Ledger

Timeline of the Attack

  • April 7, 2026 Fake Ledger Live app begins operating on the Mac App Store. First victims are targeted.
  • April 8–11, 2026 Three separate victims lose seven-figure sums across BTC, ETH, USDT, and USDC. Funds immediately laundered through KuCoin and the AudiA6 mixing service.
  • April 12, 2026 Musician G. Love publicly reports losing 5.92 BTC after downloading the fraudulent app while migrating to a new computer.
  • April 13, 2026 Apple removes the fake Ledger Live application from the Mac App Store following user reports.
  • April 14, 2026 ZachXBT publishes full on-chain analysis. Total theft confirmed at $9.5 million from over 50 victims. KuCoin freezes involved accounts — but only until April 20 unless extended by law enforcement request.

Scrutiny Falls on Apple and KuCoin

The incident has ignited fierce debate about Apple’s App Store review process, which the company has long marketed as a rigorous security gatekeeping mechanism. Critics note that the fake app passed that review entirely, remained live and discoverable for nearly a week, and was only removed after victims began sounding the alarm publicly.

ZachXBT suggested the situation may provide legal grounds for a class-action lawsuit against Apple for hosting the fraudulent application, a view echoed by several cryptocurrency law commentators online. Apple had not responded to media requests for comment as of the time of publication.

KuCoin, where the laundered funds were routed, has itself faced sustained regulatory pressure. The exchange paid more than $300 million in fines to U.S. authorities in 2025 to settle anti-money-laundering violations, and was barred from onboarding new EU users by Austrian regulators in February 2026, just months after receiving a MiCA license. The exchange announced it has frozen the accounts involved in this latest scheme — but noted the freeze will only remain in place until April 20 unless extended by official law enforcement channels.

This is not the first time a fake Ledger application has targeted crypto users through an official platform. A similar attack targeting the Microsoft Store in 2023 resulted in approximately $768,000 in losses — a figure dwarfed by the scale of the current incident.

What Users Should Do

Ledger has reiterated its core security guidance in the wake of the attack. The company’s CTO, Charles Guillemet, stressed that the only safe environment for managing private keys is a dedicated hardware device with a secure screen — not any software application, regardless of where it is downloaded. Users should download Ledger Live exclusively from Ledger’s official website at ledger.com, and should never enter a seed phrase into any application or website under any circumstances.

Anyone who believes they may have interacted with the fake app should immediately transfer any remaining funds to a new wallet generated on a freshly initialized hardware device, and should report the incident to local law enforcement as well as to Apple directly.