How a Fake Ledger App Slipped Past Apple's Review and Drained $9.5M in Crypto (2026)

* AI-generated images may be used to help visualize the story.

Key Answer: According to on-chain analysis shared by ZachXBT and multiple security reports (BleepingComputer, Bitcoin.com News, 9to5Mac), a counterfeit "Ledger Live" app published on Apple's App Store allegedly drained approximately $9.5 million in crypto from more than 50 users between April 7 and April 13, 2026. A hardware wallet keeps private keys inside the device, but that protection is neutralized the moment a user types their 24-word recovery phrase into any software — no hardware wallet defends against user input mistakes. Treat the recovery phrase as a device-only secret.

30-Second Summary

• A fake Ledger Live macOS app with the publisher name "Leva Heal Limited" sat on the Apple App Store for roughly two weeks and was removed only after community reports — not by Apple's automated review.
• On-chain tracing by investigator ZachXBT links 150+ KuCoin deposit addresses and a centralized mixer called "AudiA6" to the laundering trail.
• Three victims alone account for approx. $7.26M in losses (USDT, USDC, BTC/ETH/stETH), and an American musician publicly confirmed a loss of approximately 5.9 BTC.
• Ledger's CTO Charles Guillemet reiterated that Ledger will never ask users for their 24-word recovery phrase — and if any app or person requests it, something is wrong.
• No hardware wallet — including D'CENT — can recover funds after a recovery phrase is entered into a malicious app. Your habits at download and setup time are the defense.

What Happened: Timeline of the Fake Ledger Live Incident

According to a BleepingComputer report and on-chain analysis by ZachXBT, the incident followed a simple but devastating pattern:

1. The counterfeit app was published on the Apple App Store under the publisher name "Leva Heal Limited."
2. Over roughly two weeks it pushed multiple version updates (1.0 through 5.0) to appear like a maintained, established app.
3. Users searching for "Ledger Live" on Mac downloaded it, believing it was the official Ledger wallet manager.
4. The fake app then prompted for the user's 12- or 24-word recovery phrase — something the real Ledger Live never asks for during normal use.
5. As soon as the phrase was entered, the attackers controlled the wallet and swept funds across Bitcoin, Ethereum, Solana, Tron, and XRP.

Reported losses on specific dates (per ZachXBT):

Date Asset Approximate value April 8, 2026 BTC + ETH + stETH approx. $1.95M April 9, 2026 USDT approx. $3.23M April 11, 2026 USDC approx. $2.08M

A musician publicly confirmed the loss of approximately 5.9 BTC after downloading what appeared to be the official wallet manager onto a new MacBook, as first reported by The Block.

According to on-chain analysis by ZachXBT and coverage by BleepingComputer and CyberInsider, after the losses the outflow was routed through 150+ KuCoin deposit addresses and a centralized mixing service named "AudiA6," which has been described in prior reports as being used in laundering cases.

Why the "Official Store = Safe" Assumption Broke

The most important lesson from this incident is not technical — it's about trust assumptions. Many crypto users treat Apple's App Store as a trusted perimeter. This case makes that assumption hard to defend:

• According to 9to5Mac's reporting, Apple's automatic review did not catch the app — the fake Ledger Live and a deceptive "Freecash" app were both removed only after outside reporting. Apple stated it has "zero tolerance for fraudulent or malicious apps" and confirmed the developer account was terminated — but removal was reactive, not preventive.
• The fake app built credibility cheaply. Version bumps, a plausible category label, and standard privacy disclosures were enough to look routine.
• This is not a first. In November 2023, a fake Ledger app on the Microsoft Store stole roughly $800,000. Fake Rabby Wallet, a fake "LassPass" password manager, and a fake Threads clone have all slipped through official stores in recent years.

Ledger CTO Charles Guillemet (via Bitcoin.com News):"You cannot trust the software environment around you — not your browser, not your app store, not your desktop." He emphasized that the only reliable protection is keeping private keys on a dedicated hardware device with a secure screen and never entering a seed phrase into any app or website.

A useful takeaway: an app listing on an official store is a signal, not a guarantee. It must be combined with other checks. For broader scam patterns — fake giveaways, fake support agents, and how hardware wallets change the attacker's math — see How to Avoid Cryptocurrency Scams with Hardware Wallets in 2026.

The Core Lesson: Never Type Your Recovery Phrase Into Software

The recovery phrase (sometimes called the seed phrase) is the root key of your wallet. If an attacker learns those 12 or 24 words, they gain full, permanent control of every address derived from them. We unpack why the seed phrase is the single point of failure — and the small habit changes that close the gap — in Seed Phrase: The Single Point of Failure.

Every legitimate hardware wallet vendor — Ledger, D'CENT, and others — follows the same rule:

• A legitimate hardware wallet app will never ask you to type your full recovery phrase. You enter it only on the hardware device itself during initial setup or recovery.
• The private keys derived from the phrase stay inside the device's secure element; the companion app only sees addresses and signed transactions.
• If any app, email, browser extension, or support agent ever requests your 24 words — treat it as a phishing attempt, close the app, and move your funds to a new wallet.

How to Spot a Fake Crypto Wallet App (5-Step Checklist)

Use this 5-step check every time you install or reinstall a wallet app, especially on a new device.

① Start from the official website, not the store search bar.Open the wallet brand's official site (for Ledger, ledger.com; for D'CENT, dcentwallet.com) and follow the download link from there. This avoids typo-squatting and look-alike listings.

② Verify the publisher/developer name, not just the app icon.

• Real Ledger apps are published by "Ledger SAS" — anything else is suspicious.
• Real D'CENT apps are published by "IoTrust Co., Ltd."
• A publisher name like "Leva Heal Limited" has no connection to Ledger or any legitimate hardware wallet vendor.

③ Check whether the vendor distributes through that store at all.Ledger distributes Ledger Live for macOS and Windows only from its website — it has never published a macOS version on the Apple App Store. If you see a "Ledger Live" listed for Mac on the App Store, assume it is a counterfeit.

④ Be skeptical of rapid version history and shallow reviews.A brand-new developer account that jumped from v1.0 to v5.0 in two weeks, with only generic five-star reviews, is a red flag. Legitimate wallet apps accumulate reviews over years.

⑤ If any app asks for your recovery phrase, close it immediately and move your funds.Uninstall the app, then transfer the affected assets to a freshly generated wallet on a device you trust. Every minute counts. Fake-app phishing is part of a larger pattern — see also AI Deepfake Scams: How a Hardware Wallet Protects You for how attackers impersonate brands and support staff today.

See D'CENT Wallet →A fake app can copy the icon. It can't copy your device.D'CENT Biometric Wallet keeps your recovery phrase off every screen. Verify on the device's secure OLED — never in software.

How D'CENT Users Can Stay Protected

If you use D'CENT's Biometric Wallet or Card Wallet, the same rules apply — plus a few device-specific habits:

Safeguard What it does Where to verify Official D'CENT app (iOS)Download only from the Apple App Store listing published by IoTrust Co., Ltd.Check publisher name before install Official D'CENT app (Android)Download only from the Google Play listing published by IoTrust Co., Ltd.Check publisher name before install On-device Seed CheckVerify the recovery phrase on the device itself, without typing it into any app Settings → Seed Check on your D'CENT device 25th Word (Passphrase)Optional extra 1–8 character alphanumeric password layer that derives a brand-new account set Advanced Settings (see warning below) Blockaid real-time scam detectionFlags malicious contracts and phishing addresses before you sign, across multiple supported chains Enabled by default in supported flows

⚠️ Before you enable the 25th word: it creates a completely new set of accounts under a new root key. If you already hold assets on your current recovery phrase, move them to a safe address first. After enabling, those old accounts will no longer be accessible from the same device view.

D'CENT's private keys are generated and signed inside an EAL5+ certified secure element, with no remote key-extraction breaches reported since launch in 2018. The Blockaid-powered real-time scam detection built into D'CENT Wallet adds a preemptive layer, but it is not a guarantee — the final confirmation is always your responsibility at the device screen.

Frequently Asked Questions

I may have installed the fake Ledger Live app — what should I do right now?If you entered your recovery phrase anywhere in the app, assume the wallet is compromised. Using a different, trusted device, create a new wallet and move any remaining funds immediately. Uninstall the fake app, then report it via reportaproblem.apple.com.

Are all apps on the Apple App Store safe?No. Apple removes thousands of apps each year for "bait-and-switch" and other policy violations, but review is not a guarantee. Treat store listings as a signal, not a final verdict — always cross-check the developer name with the vendor's official website.

Where should I download the real Ledger Live?From Ledger's official website. Ledger does not publish its macOS Ledger Live app on the Apple App Store; if you see one, it is not legitimate. An official iOS version exists for mobile.

I use a hardware wallet — why did victims still lose funds?A hardware wallet protects keys inside the device. It cannot protect you when you voluntarily type the 24-word recovery phrase into a piece of software, because the phrase is the key. The fix is procedural: never type the phrase anywhere except on the hardware device itself during setup or recovery.

Is there ever a legitimate reason to enter my recovery phrase into an app?Essentially no, outside of a controlled recovery flow on a new hardware device. Normal daily use — checking balances, signing transactions, updating firmware — never requires the recovery phrase. If a support agent, extension, or app asks for it, it is a scam.

Are D'CENT users exposed to the same risk?The underlying risk — typing a recovery phrase into any software — applies to every hardware wallet, including D'CENT. The mitigation is the same: verify the publisher name ("IoTrust Co., Ltd."), download only from official stores linked via dcentwallet.com, and use on-device Seed Check instead of typing the phrase anywhere.

Can the stolen crypto be recovered?Some portion may be frozen if exchanges cooperate with law enforcement — KuCoin has previously frozen illicit deposits under legal process. However, assets routed through centralized mixers like "AudiA6" are often difficult to trace back. Outcomes remain uncertain.

How can I report a suspected fake wallet app?For Apple: reportaproblem.apple.com. For Google Play: use the in-listing "Flag as inappropriate" option. You can also alert the legitimate wallet vendor — Ledger and D'CENT both maintain direct security contact channels on their official sites.

Final Takeaway

The fake Ledger Live incident is not a story about Apple or Ledger alone. It is a reminder that in crypto, the weakest link is any moment your recovery phrase leaves the hardware device. Store perimeters can fail, branding can be copied, and version histories can be faked. The one thing an attacker cannot fake is your habit of never typing those 24 words into a screen.

If this incident prompted you to audit your setup, start with three actions today:

1. Verify your wallet app's publisher name on every device.
2. Re-check where your recovery phrase is stored — offline, paper or steel, nowhere digital.
3. Enable on-device Seed Check (D'CENT) or the equivalent device-only verification on your hardware wallet.

Get D'CENT Wallet →D'CENT Biometric WalletYour recovery phrase should never touch a screen. Ours doesn't.EAL5+ secure element · On-device Seed Check · Blockaid real-time scam detection · Biometric authentication · Zero remote key-extraction breaches since 2018

Sources

• BleepingComputer — Fake Ledger Live app on Apple's App Store stole $9.5M in crypto
• 9to5Mac — Apple pulls fake Ledger app and Freecash
• Bitcoin.com News — ZachXBT says Apple App Store fake Ledger app stole $9.5M from 50+ victims in one week
• The Block — Fake Ledger app on App Store drains American musician's 5.9 BTC
• CyberInsider — Fake Ledger app on the Apple App Store steals $9.5 million from 50 users
• HackRead — Fake Ledger Live App on Apple Store Linked to $9.5M Crypto Theft
• Ledger Support — Fraudulent Ledger Live Applications

Disclaimer: This blog is for educational purposes only. Information presented here, including projects or brands mentioned, is informative and does not constitute financial, legal, or tax advice. While we strive for accuracy, we cannot be held liable for any inaccuracies. Cryptocurrencies are inherently risky — do your own thorough research and consider consulting a qualified advisor before making any decisions. Details reflect public reporting as of April 2026 and may evolve as investigations continue. External links and third-party services mentioned (including Apple, Ledger, KuCoin, and others) are provided for informational purposes only; IoTrust Co., Ltd. is not responsible for their content, availability, or practices.