A fake Ledger Live app listed in Apple’s Mac App Store drained 5.92 bitcoins — worth roughly $420,000 — from musician Garrett Dutton, known professionally as G. Love, after the victim entered his 24-word seed phrase into the scam app while setting up his wallet on a new Apple computer.
Dutton revealed the theft on April 11, 2026, via X, describing the loss as his entire Bitcoin retirement savings, accumulated over nearly a decade. On-chain investigator ZachXBT later confirmed the money laundering trail, tracing the stolen funds across nine transactions to deposit addresses at KuCoin.
We believe this incident is less a story of one user’s bad luck than a structural signal about the continuing failure of major app distribution platforms to screen fraudulent cryptocurrency wallet apps before they reach end users.
I had a really tough day today, as I lost my retirement fund to a hack/scam when I changed my account @Ledger To my new computer and I accidentally downloaded the malicious Ledger application from @apple place. All my Bitcoin was gone in an instant.
– JLove (@glove) April 11, 2026
discovers: Best cryptocurrencies to buy now
Fake Ledger app store listing, seed phrase capture, and on-chain path to KuCoin
The mechanism works as follows: The fraudulent app was listed in Apple’s Mac App Store under a non-Ledger developer account, yet presented itself visually and functionally as the legitimate Ledger Live desktop client, the companion software that Ledger hardware wallet users install to manage their devices and assets.
When Dutton downloaded and ran the app while migrating the device to a new Apple computer, the app immediately prompted him to enter the 24-word recovery phrase — a prompt the original Ledger Live software doesn’t make during a normal desktop setup, where the initial phrase is entered exclusively on the physical device.
Dutton complied, entering the phrase into the fake app, which sent the credentials to the attackers. The mechanism by which BTC was mined required no additional interaction from the victim: possession of the seed phrase granted complete and irrevocable control over all associated wallet funds, independent of the device itself.
Hi, I found your 5.92 BTC stolen and it was all laundered @kucoincom Deposit addresses for the following transactions:
6f5c8eb6b01774626f33527e0cb03c0d1860447acacd6079e69bf41b459bcf1f
9ee1288f941b2c3775ebd125eefeebdc713aa160bf2cf9d18661fd07f84ce891…– ZackXPT (@ZackXPT) April 12, 2026
ZachXBT’s tracking identified nine external transactions distributing 5.92 BTC to KuCoin deposit addresses, a laundering pattern consistent with previous fake wallet campaigns where exchanges with less stringent deposit screening were used to quickly transfer stolen property.
At the time of the theft, the approximate dollar value was $420,000 based on a Bitcoin price near $70,955. KuCoin has not issued a public statement regarding the tracked deposits as of press time. Dutton publicly explained that the attack was the result of social engineering through a rogue app, rather than a flaw in the Ledger device itself — an important distinction in how users engineer the threat.
App Store Review Failures and Repeated Wallet Fraud Attack Surface
This isn’t the first time a fake Ledger app has cleared the App Store’s ostensibly moderated review process. In 2023, a fake Ledger Live app listed on the Microsoft App Store enabled attackers to steal approximately $600,000 in bitcoin from multiple victims before the listing was taken down.
In early 2025, cybersecurity firm Moonlock documented macOS malware that silently replaced legitimate Ledger Live installations on users’ devices and prompted seed phrase injection through a spoofed interface. The recurring pattern – fake app, app store or file system delivery, initial phrase capture, instant cash out – has persisted across platforms and years without a structural solution.
Ledger has maintained a consistent public position that its software is distributed exclusively through ledger.com, and that no legitimate Ledger application will request a recovery phrase on the desktop or mobile interface.
It seems that Apple doesn’t want people to document the fact that they are allowing fake apps on the App Store. pic.twitter.com/1mnkSsZ9R7
– ZackXPT (@ZackXPT) April 12, 2026
Despite this, rogue apps continue to appear in App Store search results under non-Ledger developer accounts, exploiting users’ trust that extends to Apple’s review infrastructure. We suspect that Apple’s app review process—designed primarily to assess functional integrity and policy compliance—is structurally ill-equipped to detect semantic spoofing of hardware wallet interfaces, where the deception lies not in the execution of malicious code but in a fraudulent UI requesting sensitive credentials.
The broader context for self-custodians is just that Sophisticated theft targeting cryptocurrency holders They increasingly combine social engineering with a distribution infrastructure that carries implicit legitimacy — an app store listing, a realistic interface, and a reasonable setup flow. The attack surface does not narrow.
explores: Best meme coins to watch – updated CoinSpeaker rankings
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to provide accurate and timely information but should not be considered financial or investment advice. Since market conditions can change rapidly, we encourage you to verify the information yourself and consult with a professional before making any decisions based on this content.
Daniel Francis is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. A crypto native since 2017, Daniel brings his background in cross-chain analytics to author evidence-based reports and detailed guides. It is certified by the Blockchain Council and is dedicated to providing “information gain” that cuts through the market noise to find blockchain’s real-world utility.
