ZachXBT Says Apple App Store Fake Ledger App Stole $9.5M From 50+ Victims in One Week

Key Takeaways:

• ZachXBT linked $9.5M successful theft from a fake Ledger Live Apple App Store app to an alleged 150+ Kucoin deposit addresses.
• Musician G. Love mislaid astir 6 BTC; the 3 largest victims each mislaid 7 figures betwixt April 7-13.
• Apple did extremity up removing the phony exertion from the App Store.

Fake Ledger Live iOS App Drained $9.5M Before Apple Pulled It, ZachXBT Finds

ZachXBT posted his findings connected Tuesday, April 14, connected X, laying retired however the fake app victimized much than 50 users betwixt April 7 and 13 crossed Bitcoin, EVM, Tron, Solana, and Ripple networks. Apple removed the app the time anterior to his post.

The 3 largest victims each mislaid 7 figures. One idiosyncratic mislaid $3.23 cardinal successful USDT connected April 9. A 2nd unfortunate mislaid $2.079 cardinal successful USDC connected April 11. A 3rd mislaid $1.95 cardinal worthy of crypto connected April 8, including 20.64 BTC, 211 stETH, and 70 ETH.

Another unfortunate among those defrauded was instrumentalist Garrett Dutton, known professionally arsenic G. Love, who mislaid astir 6 BTC to the fake app. ZachXBT identified AudiA6 arsenic the centralized mixing work utilized to determination the stolen funds.

He described AudiA6 arsenic a work that charges precocious fees to process illicit money, and alleged that stolen funds moved done Kucoin deposit addresses connected to that service. The researcher besides claimed that a abstracted menace histrion laundered $3.5 cardinal from the Bitcoin Depot incident done much than 25 Kucoin deposit addresses successful the days earlier the Ledger-related theft.

On X, aft Kucoin’s authoritative X relationship posted a random A & B ballot post, ZachXBT decided to respond with his accusations. “C) Want to explicate to the assemblage wherefore Kucoin allowed a menace histrion to launder $9.5M+ tied to a fake Ledger app via 150+ Kucoin deposit addresses implicit the past week?” ZachXBT asked. The onchain researcher added:

“A fewer days earlier that different menace histrion laundered $3.5M+ from the Bitcoin Depot incidental via 25+ Kucoin deposit addresses. You’ve enabled instant exchanges abusing KYC and entities similar AudiA6, a centralized mixer for illicit actors to run freely. Kucoin deserves to person regulators travel aft its concern erstwhile again.”

When Kucoin’s authoritative X relationship responded to the contention by asking for a UID and summons fig to look into the matter, ZachXBT replied with a photograph of an infant’s ID document, implying the exchange’s know-your-customer (KYC) verification process is inadequate.

Kucoin had not publically responded to those circumstantial allegations arsenic of the clip of publication. The UID and summons fig effect was apt from a lawsuit work agent.

ZachXBT said the concern whitethorn supply grounds for a people enactment suit against Apple for hosting the fraudulent app. Theft addresses published by ZachXBT span aggregate blockchains, including Bitcoin, Ethereum, Tron, Solana, and Ripple, identifying circumstantial wallets connected to each victim.

The fake Ledger Live app’s beingness connected Apple’s App Store raised broader questions astir however malicious bundle clears Apple’s reappraisal process and however agelong it tin run earlier removal.

In a enactment shared with Bitcoin.com News, Ledger‘s CTO Charles Guillemet stressed that his steadfast volition ne'er inquire for a effect phrase. “Ledger volition ne'er inquire for your 24 words. If anyone, oregon immoderate app, is asking for your 24 words, presume thing is wrong,” Guillemet explained.

“Ledger consistently reminds the assemblage astir this. You cannot spot the bundle situation astir you – not your browser, not your app store, not your desktop. Attackers run wherever the accidental exists, and that includes authoritative organisation platforms. The lone extortion that holds is keeping your private keys connected a dedicated hardware instrumentality with a unafraid screen, similar a Ledger signer, and ne'er entering your effect operation into immoderate app oregon website. Your 24 words are your wallet,” the hardware wallet firm’s CTO added.