Users lose over $9.5 mln from a fake Apple App Store app

A fake Ledger Live app that drained substantial funds in crypto was officially available in the Apple App Store and then quietly disappeared.

On a quiet weekend, a musician sat down to do something ordinary: set up a new laptop, reconnect a familiar device, move a decade’s worth of savings. He searched for the software he had used before - a trusted interface, a recognizable name - and downloaded it from a place that was supposed to have already done the vetting for him: the Apple App Store.

What followed took less time than the download itself. A prompt appeared, routine in tone, asking for a recovery phrase. He entered it. Within moments, the balance he had spent years building - nearly six Bitcoin - was gone. Not partially reduced. Not frozen or flagged. But simply erased from his app - transferred to some other wallet.

The musician, Garrett Dutton - known to audiences as G. Love - had not wandered into the dark corners of the internet. He had followed a path that millions of users are trained to trust: search, install, authenticate. The app looked right. The name matched. The environment - the official marketplace of one of the world’s most tightly controlled ecosystems - offered some reassurance. And yet the software was an imitation, a careful forgery designed for a single purpose: to persuade its user to hand over the recovery phrase.

What is unsettling about this case is that G.Love apparently didn’t do anything wrong or reckless. He just entered a seed phrase entered into the interface that looked totally legitimate.

A closer look at the mechanics reveals just how little needed to go wrong. The fake application was not distributed through obscure channels but listed in the Apple App Store itself. It replicated the look and feel of the official Ledger Live software closely enough to pass a casual inspection, guiding users through what appeared to be a standard setup flow. It’s worth noting that the developer name of the fake application was “Leva Heal Limited” while the real Ledger app developer is Ledger SAS, suggesting the Apple App review process didn’t catch an unrelated publisher impersonating a well-known brand.

Meanwhile, the scale of the operation goes far beyond a single incident. Blockchain investigators linked the same fake Ledger app campaign to at least $9.5 mln in stolen crypto, affecting multiple victims who downloaded the app and unknowingly handed over their recovery phrases. 

The three largest individual victims each lost seven figures - one lost $3.23 mln in USDT, another $2.08 mln in USDC, and a third $1.95 mln across BTC, ETH, and stETH. The funds were drained rapidly after access was obtained, often within minutes, suggesting an automated process designed to sweep wallets as soon as credentials were captured.

The attack itself hinges on a single step. During setup, the app prompts users to enter their 24-word recovery phrase- something legitimate wallet software never requires in this context. Once entered, the phrase gives attackers full control over every wallet derived from it. From there, funds are quickly moved through multiple transactions and routed to exchange-linked addresses, a common pattern used to obscure the trail and accelerate cash-out.

“It’s hard to justify how platforms that promote strict security standards and app review processes keep ending up as channels for serious financial losses,” Dimitar Petkov, Senior Anti-Fraud Specialist at PhishFort, 1inch’s security partner, commented. “When an app from a developer labeled something like “OFFICIAL DEV” clears review, or simple tricks like character spoofing slip through checks, it points to deeper flaws in the system.”

“So how can users avoid falling into similar traps?” said Dimitar. “The key is not to depend on app store safeguards when it comes to protecting your funds. In the end, responsibility for security rests with you.”

To avoid crypto scams, check out 1inch’s security features.