Fake Ledger Live App on Apple App Store Stole $9.5M in Cryptocurrency
A malicious macOS app impersonating Ledger Live was distributed through Apple’s App Store and linked to the theft of more than $9.5 million in cryptocurrency from over 50 victims. Investigators said the app used Ledger branding, fake credibility signals, and prompts for users’ seed or recovery phrases, allowing attackers to seize control of wallets and drain assets across multiple networks, including Bitcoin, Ethereum, Solana, Tron, and XRP. The fraudulent listing was reportedly published under Leva Heal Limited rather than Ledger and showed a suspicious version history that jumped rapidly from 1.0 to 5.0 within roughly two weeks.
Blockchain investigator ZachXBT traced the stolen funds from intermediary wallets into more than 150 KuCoin deposit addresses, after which they were laundered through a centralized mixing service known as AudiA6. Apple removed the app after user reports, and KuCoin said it froze the implicated accounts pending possible law enforcement action. The thefts, reported over a span of days in April, have intensified scrutiny of Apple’s app review process and underscored the continuing risk of fake wallet and financial apps appearing in trusted software marketplaces.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researcher uncovers counterfeit Ledger wallets stealing seeds and PINs
A Brazilian cybersecurity researcher identified a supply-chain scam in which counterfeit Ledger Nano S Plus devices sold on Chinese marketplaces replaced the secure element with an ESP32-S3 and stored victims’ PINs and seed phrases in plaintext for exfiltration. The operation also directed users to a cloned Ledger site and fake app that falsely passed authenticity checks, extending the campaign beyond the previously reported App Store malware.
KuCoin freezes implicated accounts pending possible law enforcement action
KuCoin said it froze the deposit accounts tied to the laundering activity and would keep them frozen until April 20 pending possible law enforcement action. This response targeted the addresses identified in the tracing of the stolen funds.
Apple removes fake Ledger Live app after user reports
Apple removed the fraudulent Ledger Live app from the App Store after users reported it. The app had been published under the name Leva Heal Limited and used suspicious version-history changes to appear legitimate.
ZachXBT traces stolen funds to KuCoin addresses and AudiA6 mixer
Blockchain investigator ZachXBT linked the stolen assets to intermediary wallets, more than 150 KuCoin deposit addresses, and the centralized mixing service AudiA6. The tracing showed the campaign was a broad credential-theft operation rather than a chain-specific exploit.
Fake Ledger Live app steals crypto from Apple App Store users
Between April 7 and April 13, a malicious macOS app impersonating Ledger Live on Apple’s App Store harvested seed or recovery phrases and stole more than $9.5 million in cryptocurrency from over 50 victims. The thefts affected wallets across multiple blockchains, including Bitcoin, Ethereum, Solana, Tron, and XRP.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Fake Ledger Hardware Wallets on Chinese Marketplaces Steal Crypto Seeds and PINs
cybersecuritynews.com
Open sourceFake Ledger Live App on Apple Store Linked to $9.5M Crypto Theft
hackread.com
Open sourceFake Ledger app on Mac app store scams users out of $9.5 million | brief | SC Media
scworld.com
Open sourceFake Ledger Live app on Apple’s App Store stole $9.5M in crypto
bleepingcomputer.com
Open sourceTelegram: View @investigations
t.me
Open sourceSinger loses life savings to fake wallet downloaded from the Apple App Store
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a **FakeWallet** campaign that placed at least **26 malicious iOS apps** in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including **MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie**. The apps primarily targeted users in **China**, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps. The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including **malicious `dylib` injection**, executable hooking, provisioning profiles, and **React Native code tampering**. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was **RSA PKCS #1-encrypted**, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the **SparkKitty** threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Jun 29, 2026
notnullOSX Mac Stealer Targets High-Value Crypto Wallet Holders
Researchers reported a new Go-based macOS stealer and backdoor, **notnullOSX**, being used in highly targeted campaigns against users believed to hold more than **$10,000 in cryptocurrency**. The malware has been linked to the developer previously known as **0xFFF**, later **alh1mik**, and was first detected in Vietnam, Taiwan, and Spain. Operators are distributing it through social-engineering lures including fake protected Google Docs, **ClickFix** terminal-prompt tricks, malicious DMG files, and counterfeit WallSpace wallpaper sites promoted through a likely hijacked YouTube channel. Once victims are persuaded to grant **Full Disk Access**, notnullOSX can steal browser credentials, Safari cookies, iMessage data, Apple Notes, Telegram sessions, crypto wallet files, and developer secrets. Researchers said the malware uses a modular architecture, downloads components from `cdn.filestackcontent.com`, and maintains persistent command-and-control through **Firebase Realtime Database** using SSE, HTTP POST, heartbeat traffic, and WebSocket-style connectivity. One module, **ReplaceApp**, appears designed to swap legitimate wallet tools such as **Ledger Live** or **Trezor** with trojanized versions to capture seed phrases, giving the operation capabilities closer to a remote access trojan than a conventional smash-and-grab stealer.
Jun 29, 2026
DigitStealer Malware Targets macOS M2+ Devices and Cryptocurrency Wallets
A new macOS infostealer named **DigitStealer** has been discovered targeting users with Apple M2 or newer devices. The malware is distributed via a fake utility app called `DynamicLake`, which is hosted on a spoofed website. Victims are tricked into dragging a file into Terminal, initiating a largely fileless infection chain that executes malicious code directly in memory, making detection and remediation difficult. DigitStealer employs advanced anti-analysis techniques, including hardware and locale checks, to evade security tools and avoid infecting virtual machines or systems outside its target region. The malware demonstrates a high level of sophistication by hijacking legitimate cryptocurrency wallet software such as *Ledger Live* using JXA (JavaScript for Automation) and communicating with its command-and-control infrastructure via DNS-based channels. Its primary goal is to steal sensitive information, including files, passwords, and browser data, from macOS users. Security researchers warn that DigitStealer's platform-specific targeting and stealthy operation pose significant new challenges for defenders, especially as it remains undetected by many traditional antivirus solutions.
Jun 29, 2026