ZachXBT Alleges Fake Ledger App on Apple App Store Stole $9.5 Million in a Week

ZachXBT Alleges Fake Ledger App on Apple App Store Stole $9.5 Million in a Week

N
News Editor 01
2026-07-08 13:26:16
Onchain investigator ZachXBT says a fake Ledger Live app on Apple’s App Store stole more than $9.5 million from over 50 victims in one week, with funds allegedly funneled through more than 150 KuCoin deposit addresses.
LedgerApple App StoreKuCoincrypto scamonchain security

Onchain investigator ZachXBT has accused a fraudulent Ledger Live application listed on Apple’s App Store of stealing more than $9.5 million from over 50 victims in the span of a single week. According to the allegations, the thefts took place between April 7 and April 13 and affected users across multiple blockchain ecosystems, including Bitcoin, EVM-compatible networks, Tron, Solana, and Ripple. Apple reportedly removed the malicious app one day before ZachXBT published his findings.

Multi-chain losses and several seven-figure victims

ZachXBT’s public breakdown suggests the fake app was able to capture substantial amounts of digital assets from a wide range of victims. The three largest known losses were each in the seven figures. One user allegedly lost $3.23 million in USDT on April 9. Another lost $2.079 million in USDC on April 11. A third victim was said to have lost roughly $1.95 million in crypto on April 8, including 20.64 BTC, 211 stETH, and 70 ETH.

The scope of the incident highlights how dangerous wallet impersonation attacks have become, especially when they appear inside trusted digital storefronts. Instead of targeting only one token or one blockchain, this campaign appears to have drained assets across several chains, increasing both the number of potential victims and the complexity of tracking the stolen funds.

Among the named victims was musician G. Love, who reportedly lost nearly 6 BTC after using the fake application. The inclusion of a public figure added visibility to the case, but the core issue extends well beyond one individual: the campaign appears to have operated at scale and targeted ordinary users who believed they were downloading legitimate wallet software from an official distribution channel.

Alleged laundering routes and scrutiny on KuCoin

A central part of ZachXBT’s allegations concerns where the stolen funds went after the thefts occurred. He claimed that more than 150 KuCoin deposit addresses were used in connection with laundering proceeds from the fake Ledger app scam. He also identified AudiA6 as the centralized mixing service allegedly involved in moving the funds. According to his description, AudiA6 charges high fees to process illicit money, acting as an intermediary for threat actors attempting to obscure fund flows.

ZachXBT did not stop at the Ledger-related thefts. He further alleged that, only days earlier, a separate threat actor had laundered more than $3.5 million tied to the Bitcoin Depot incident through 25 or more KuCoin deposit addresses. Taken together, these claims raise broader questions about exchange compliance controls, the effectiveness of know-your-customer procedures, and whether rapid exchange services may be abused by criminal actors.

On X, ZachXBT publicly confronted KuCoin after the exchange posted unrelated social content, asking why the platform had allowed a threat actor to launder more than $9.5 million linked to the fake Ledger app through such a large number of deposit addresses in the previous week. He argued that weak controls and instant exchange features may have enabled abuse and said regulators should once again examine KuCoin’s business practices.

KuCoin’s official X account responded by asking for a UID and ticket number to investigate the issue, a reply that appeared more like a customer service workflow than a direct answer to the allegations. As of the time referenced in the original report, KuCoin had not publicly addressed the specific claims regarding the alleged laundering activity.

Apple’s review process under renewed pressure

The incident also puts a spotlight on Apple’s app review system. The core concern is not only that a fake wallet app was published, but that it was able to remain available long enough to victimize dozens of users and drain millions of dollars in assets before being removed. For many crypto users, official app stores are still perceived as safer than downloading software from unknown websites. Cases like this challenge that assumption directly.

ZachXBT argued that Apple’s role in hosting the fraudulent application could potentially create grounds for a class action lawsuit. While no legal outcome is stated in the source material, the suggestion reflects growing frustration in the crypto community over how phishing apps and wallet impersonation software continue to pass platform moderation and security checks.

The case also illustrates a longstanding tension in consumer technology: centralized gatekeepers promote their stores as curated and secure, yet sophisticated malicious software can still slip through, especially when it impersonates a recognized crypto brand. For crypto wallet software in particular, a single successful impersonation can have catastrophic consequences because once a user reveals sensitive credentials, losses are often immediate and irreversible.

Ledger reiterates a key security rule

In comments shared with Bitcoin.com News, Ledger CTO Charles Guillemet emphasized a basic but critical rule: Ledger will never ask for a user’s 24-word recovery phrase. He warned that if any person or app requests those 24 words, users should assume something is wrong.

Guillemet also stressed that users should not fully trust the surrounding software environment, whether that means a browser, an app store, or desktop software. Attackers, he said, operate wherever opportunity exists, and that includes official distribution platforms. His message was clear: the strongest protection is to keep private keys on a dedicated hardware device with a secure screen and to never enter a seed phrase into any app or website.

That reminder is especially relevant in scams involving fake wallet interfaces. In many such attacks, the malware does not need to exploit the hardware wallet itself. Instead, it tricks the user into surrendering the recovery phrase, which effectively hands over full control of the wallet. Once the seed phrase is compromised, criminals can reconstruct the wallet and drain assets across all supported chains.

A broader warning for crypto users

Although the allegations in this case focus on Apple’s App Store, KuCoin, and the identified laundering routes, the broader lesson is about operational security. Even trusted distribution channels can become attack surfaces. For crypto users, downloading an app from an official store is no longer enough to guarantee safety, especially when fake apps mimic established wallet brands and use convincing names, interfaces, and prompts.

The reported thefts show the scale of the damage that can be done in a short period of time when a malicious app reaches users at the point of wallet setup or recovery. More than $9.5 million was allegedly stolen in just one week, making this one of the more serious examples of wallet impersonation abuse tied to a mainstream app marketplace. Until stronger safeguards are implemented, users remain the final line of defense.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.