Fake Ledger app stole $9.5M

A crypto wallet app is supposed to be the safe layer. Here, it became the trap. A fake Ledger Live app made it into Apple’s Mac App Store, copied the real int(coindesk.com)ld rebuild the wallets elsewhere and empty them. By April 14, 2026, on-chain tracing had linked the campaign to roughly $9.5 million in losses across more than 50 victims. (coindesk.com) ### What was the app actually stealing? Not passwords. Not a session cookie. The app was after the 12- or 24-word recove(support.ledger.com)master key to a crypto wallet. If someone has it, they do not need your physical Ledger device in front of them. They can restore the wallet on another machine and move the funds out directly. (bleepingcomputer.com) ### Why is that such a brutal failure mode? Because hardware wallets protect keys from malware on your computer, but they cannot protect you from handing(coindesk.com)tes the companion software, creates urgency, and asks for the phrase during setup or recovery. The moment the user complies, the hardware advantage is gone. (bleepingcomputer.com) ### How big was the theft? The visible total tied to this campaign was about $9.5 million, stole(bleepingcomputer.com)ng say three victims each lost seven figures, and one widely shared example was musician G. Love, who said he lost about 5.9 BTC — roughly $430,000 at the time. (coindesk.com) ### How did investigators connect the dots? The money moved in patterns that looked coordinated, not random. ZachXBT and follow-on reporting tied vic(bleepingcomputer.com)suggests a single operation or tightly linked set of operators, not a bunch of unrelated copycats hitting users one by one. (cointelegraph.com) ### Why does Apple matter here? Because the entire social-engineering trick got a huge credibility boost from distribution. People are trained to treat the (coindesk.com)p reportedly appeared under the publisher name “Leva Heal Limited,” stayed up long enough to collect victims, and was removed only after reports spread. (bleepingcomputer.com) ### Was there an easy tell? Yes — but only if you already knew Ledger’s setup. Ledger’s own support pages say the deskto(cointelegraph.com) and Google Play. So a Mac App Store listing for Ledger Live should have been a red flag. But that kind of tell works only for experienced users. New users are exactly the ones most likely to trust the store listing. (support.ledger.com) ### What’s the real lesson? This was not a “crypto got hacked” story in the usual sense. It was an impersonation and trust-chain failure. The attackers did not(bleepingcomputer.com)e controls everything. Bottom line: if any desktop wallet app asks for your recovery phrase, stop. That request is the scam. (bleepingcomputer.com)