Rewards Hub 
A fake version of Ledger Live sat on the Apple App Store for roughly two weeks, and by the time Apple removed it on April 14, at least 50 people had lost a combined $9.5 million in cryptocurrency. The app was published under the name "Leva Heal Limited," a shell entity with zero connection to Ledger SAS, the company that builds the real Ledger hardware wallets. Victims downloaded what they believed was the official Ledger companion app, entered their seed phrases, and watched their wallets get drained within minutes.
Blockchain investigator ZachXBT traced the stolen funds and published the full breakdown on April 14. The three largest individual losses were $3.23 million in USDT, $2.08 million in USDC, and $1.95 million across BTC, ETH, and stETH. One victim posted on X that he lost 5.9 BTC, his entire savings accumulated over a decade.
This is a story about a six-day window where Apple's App Store review process failed completely, and the people who trusted it paid for that failure.
How the Scam Worked From Download to Drain
The attack was simple, which is what makes it so effective. The fake Ledger Live app appeared in the macOS App Store with the same icon, the same name, and a publisher listing that looked close enough to pass a casual glance. "Leva Heal Limited" means nothing to someone searching for "Ledger Live" in the App Store and expecting Apple's review process to have filtered out fakes.
Once installed, the app presented a wallet setup screen identical to the real Ledger Live interface. It asked users to enter their 24-word recovery phrase to "restore" or "sync" their wallet. The moment those words were submitted, the attackers had full access to every asset in the victim's wallet. No malware injection, no exploit chain, no zero-day vulnerability. Just a form field and a user who trusted the source.
The drains happened fast. Between April 7 and April 13, the attackers moved through victims systematically. The $3.23 million USDT theft happened on April 9. The $1.95 million BTC/ETH/stETH drain happened on April 8. The $2.08 million USDC was taken on April 11. Every theft followed the same pattern. Seed phrase entered, funds transferred out within minutes, assets moved to intermediary wallets before landing at exchange deposit addresses.
Where the Money Went
ZachXBT's on-chain analysis traced the stolen funds through more than 150 KuCoin deposit addresses. The laundering operation used a centralized mixing service called "AudiA6," which processes stolen crypto in exchange for high fees and distributes it across dozens of deposit addresses to avoid triggering exchange compliance flags.
The choice of KuCoin as the off-ramp is notable. KuCoin has faced regulatory pressure in multiple jurisdictions over the past two years, and its KYC requirements have been criticized as less stringent than those of US-regulated exchanges. For attackers looking to convert stolen crypto to cash quickly, routing through an exchange with looser controls reduces the risk of frozen funds.
None of the stolen funds have been recovered as of April 16. The mixing service and the speed of the laundering operation make recovery extremely difficult, though not impossible if KuCoin cooperates with law enforcement requests for account information tied to those 150+ deposit addresses.
Why Apple's Review Process Failed
This is the part that stings the most for victims. Apple charges a 30% commission on App Store transactions and markets its ecosystem as safer than alternatives specifically because of its review process. The company has used App Store security as a legal argument against sideloading and alternative app stores for years.
And yet a fake crypto wallet app sat on the store for approximately two weeks before being removed. Apple's review team did not catch it or flag it during the app's entire time on the store. The app was pulled only after community reports and media coverage forced action.
According to 9to5Mac's reporting, the fake Ledger app was not the only problematic removal that day. Apple also pulled a fraudulent version of Freecash on the same date, suggesting the review process had multiple simultaneous failures rather than a single isolated miss.
Apple confirmed the developer account was terminated after removal. But terminating the account after $9.5 million in theft is like locking the vault after the gold is gone. The real question is how a clone of one of the most well-known crypto apps, published by a completely unrelated entity, made it through review in the first place.
The Victims and the Legal Fallout
The 50+ victims are not faceless numbers. One user who posted publicly on X under the handle @glove described losing 5.9 BTC, representing a decade of savings. Others lost six and seven figures in stablecoins they had been holding in cold storage specifically because they thought hardware wallets were the safest option.
The irony cuts deep. These were not people clicking shady links in Telegram groups. They went to the Apple App Store, the platform marketed as the gold standard for app safety, and downloaded what they thought was a verified application. They did what most security guides tell you to do. Get the app from the official store.
ZachXBT has suggested the scale of losses could form the basis for a class-action lawsuit against Apple. The legal argument would center on Apple's duty of care. The company profits from its walled garden model, actively prevents users from installing apps outside the App Store on iOS, and represents that its review process protects users from malicious software. When that process fails and users suffer millions in losses, the gap between Apple's marketing claims and its actual security delivery becomes a liability question.
The odds of a class action materializing depend on how many victims organize and how aggressively legal firms pursue the case. But the precedent matters beyond this single incident. If Apple faces no legal consequences for hosting a fake app that stole $9.5 million, the App Store's security guarantee becomes a marketing slogan rather than a binding commitment.
How to Protect Yourself From Fake Wallet Apps
The hardest lesson from this incident is that "download from the official app store" is no longer sufficient advice by itself. You need additional verification steps, and they take less than 60 seconds.
Verify the publisher name before downloading. The real Ledger Live is published by "Ledger SAS." The fake was published by "Leva Heal Limited." This single check would have prevented every theft in this incident. Go to the developer's official website, find the download link there, and confirm it matches what you see in the app store.
Never enter your seed phrase into any app, ever. Your 24-word recovery phrase is the master key to your wallet. No legitimate wallet app will ask you to type it into a software interface for "syncing" or "restoring." Ledger's own security documentation states that the recovery phrase should only ever be entered directly on the hardware device itself, never on a computer or phone screen.
Bookmark the real download page. Go to ledger.com/ledger-live once, verify you are on the correct domain, and bookmark it. Use that bookmark every time you need to download or update Ledger Live. Do not search for it in the App Store each time, because search results can surface fakes.
Check on-chain before trusting an app. If you have already installed a wallet app and want to verify it is legitimate, send a tiny test transaction first. Transfer $5 worth of crypto and confirm it arrives correctly before moving larger amounts.
For users who prefer keeping assets on a regulated exchange rather than managing their own keys, the tradeoff calculus just shifted. Self-custody remains the gold standard for sovereignty over your assets, but it comes with the responsibility of verifying every piece of software that touches your keys. Exchange custody eliminates the fake-app attack vector entirely, though it introduces different risks like exchange insolvency.
What This Means for the Broader Crypto Security Picture
This was not a smart contract exploit. No code was hacked and no blockchain was compromised. The attack exploited the weakest link in the security chain, which is human trust in a platform's verification process. And it worked because Apple's review process gave that trust a foundation it could not support.
The crypto industry has spent years building better on-chain security. Multi-sig wallets, hardware security modules, formal verification of smart contracts, and bug bounty programs have all improved. But the attack surface has shifted. The most effective crypto thefts in 2025 and 2026 have not been protocol exploits. They have been social engineering attacks, phishing campaigns, and fake applications that target the gap between what users believe is safe and what actually is.
The Block reported that the stolen funds spanned Bitcoin, Ethereum, Solana, Tron, and XRP, meaning the attackers drained every chain the victims held assets on. A seed phrase gives access to all derived wallets across all networks. One input field, total loss.
For Apple, this is a reputational problem that goes beyond crypto. If the App Store cannot reliably filter out clones of well-known financial applications, the security argument for the walled garden weakens considerably. And with regulators in the EU already forcing Apple to allow sideloading under the Digital Markets Act, the company's ability to claim its review process justifies App Store exclusivity takes another hit.
Frequently Asked Questions
How did a fake Ledger app get on the Apple App Store?
Apple's app review process, while generally effective at catching malware, does not reliably detect apps that impersonate legitimate financial products through identical branding and user interfaces. The fake Ledger Live was published by "Leva Heal Limited," and Apple's review team did not flag the mismatch between the publisher name and the well-known Ledger brand. The app was only removed after community reports, not through Apple's own detection.
Can victims recover the stolen $9.5 million?
Recovery is extremely difficult but not entirely impossible at this stage. The funds were laundered through 150+ KuCoin deposit addresses using a mixing service called "AudiA6." If KuCoin cooperates with law enforcement and freezes associated accounts, some portion could potentially be recovered. However, the mixing process is designed specifically to make tracing and freezing difficult, and no funds have been recovered as of April 16.
Should I stop using Ledger hardware wallets after this?
The Ledger hardware wallet itself was not compromised. The vulnerability was a fake software app that tricked users into entering their seed phrases. Your Ledger device remains secure as long as you only enter your recovery phrase on the physical device itself and download Ledger Live exclusively from ledger.com, not from app store search results.
Is Apple legally liable for losses from fake App Store apps?
ZachXBT and legal commentators have suggested this could form the basis for a class-action lawsuit. Apple markets its App Store as a curated, safe marketplace and profits from its walled garden model. When that curation fails and users suffer direct financial losses, there is a legal argument that Apple breached its duty of care. No lawsuit has been filed yet, but the $9.5 million in documented losses provides a substantial foundation for one.
Bottom Line
The fake Ledger Live app on the Apple App Store exposed a gap that most crypto users assumed did not exist. Fifty people trusted Apple's review process, entered their seed phrases into what they believed was a verified app, and lost $9.5 million in six days. The attackers were not sophisticated hackers. They built a clone, submitted it under a shell publisher, and waited for victims to hand over their keys.
The practical takeaway is immediate and worth repeating before you download anything else. Verify publisher names before installing any crypto-related app from any store. Never type your seed phrase into software on a screen. And treat app store listings with the same skepticism you would apply to any other download source, because the "official store" label clearly does not guarantee safety. The $9.5 million sitting in mixing service wallets right now is proof of what happens when that assumption goes unchallenged.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
