Mac App Store “Ledger Live” Impostor Drains $9.5M+ in Crypto; G. Love Among 50+ Victims

The weakest link in self-custody often isn’t the hardware—it’s the software distribution path. Last week, a fraudulent “Ledger Live” app slipped onto Apple’s Mac App Store and siphoned more than $9.5 million in crypto from over 50 users before Apple removed it on April 13, according to on-chain researcher ZachXBT. The incident ran from April 7–13 and targeted holders who believed they were downloading Ledger’s companion app for its hardware wallets.

Here’s the core problem: people tend to outsource trust to app stores. That convenience bias meets a high-value target—self-custody—where one mistaken download can equal irreversible loss. A polished clone with the right brand assets can pass a surface-level sniff test, and once a user connects a device or enters recovery data, the game is over.

What investigators found is not subtle. ZachXBT’s analysis tied laundering flows from the fake app to more than 150 KuCoin deposit addresses linked to “AudiA6,” a centralized mixing service known to charge steep fees to clean illicit funds. At least three victims lost more than $1.95 million each, and one wallet was stripped of $3.27 million in USDT. Stolen assets spanned Bitcoin, Solana, XRP, USDT, and other tokens.

One high-profile case made the risk visible to a broader audience: musician Garrett “G. Love” Dutton, frontman of G. Love & Special Sauce, said he downloaded what he believed to be Ledger’s app while migrating to a new computer and saw 5.92 BTC—roughly $447,000—vanish. He shared the experience on X on April 11. ZachXBT traced the BTC through KuCoin-linked addresses, and the exchange’s support team replied publicly that it had frozen a suspicious account tied to the funds, noting any further action requires proper legal process. The rogue listing remained available on the App Store for nearly two more days after Dutton’s post, per ZachXBT.

Context around KuCoin matters here. The exchange has been called out for rising illicit activity by independent analysts. It was barred last month from offering access to U.S. users unless it registered as a foreign board of trade, and last year received a $14 million penalty—the largest anti-money laundering fine in Canadian history—from the national regulator.

Ledger users have been a frequent target for social engineering. The company’s phishing dashboard highlights fake apps and websites as common lures, alongside spoofed calls, emails, and even physical letters. In a related enforcement action, the U.S. Attorney’s Office for the District of Connecticut recently recovered about $600,000 in crypto tied to a fraud that used forged letters claiming to be from Ledger. Neither Apple nor Ledger immediately responded to requests for comment, and Ledger has not issued a public statement on this latest campaign.

Where does this leave self-custody practitioners? The hardware is only as safe as the path you take to manage it.

- Treat app stores as convenience layers, not trust anchors. Always initiate downloads from the vendor’s official domain and verify developer identities and signatures. - Never input a recovery phrase into any app or website. Recovery phrases belong only on the hardware device itself. - Use a watch-only setup first, then perform a small outbound transaction before larger moves to validate you’re interacting with legitimate software. - Confirm addresses on-device every time; if the on-screen and device addresses ever diverge, stop immediately.

There’s a platform dimension too. App store review processes catch plenty, but crypto tooling blurs lines between finance and software. More robust checks—cryptographic attestation linking wallet apps to vendor hardware, clearer peril-language on seed phrases, and faster takedown pathways for proven impersonators—would likely reduce the attack surface. Exchanges can help by tightening heuristics around mixing services such as AudiA6 and accelerating “freeze pending legal” workflows when credible evidence is presented.

Self-custody works. But the perimeter isn’t just your seed—it’s your download habits, verification rituals, and the marketplaces you trust. Assume every companion app is guilty until you prove otherwise.