Fake Ledger app appears in Apple Store, musician's 5.9 Bitcoins retirement savings stolen

American musician G. Love (real name Garrett Dutton) disclosed on April 11 that after downloading a counterfeit Ledger Live application from the Apple Mac App Store and entering a 24-word recovery phrase when prompted, he immediately lost 5.92 bitcoins, which amounts to more than $424,000 based on the market rate.

What Happened: A Fatal Mistake When Migrating Devices

G. Love said the incident occurred during the process of migrating his Ledger hardware wallet to a brand-new Apple computer. After searching for “Ledger Live” in the Mac App Store, he downloaded a counterfeit app with an interface and appearance that closely mimicked the real one, and entered the complete 24-word recovery phrase as prompted. After submitting the recovery phrase, the attacker completed the asset transfer instantly, and 5.92 bitcoins disappeared within minutes.

In the post, G. Love said, “This is my retirement savings I’ve worked hard to build up over the past decade. If you’re going out, you have to be careful.”

The core problem in this case is that the counterfeit application successfully passed the Apple App Store’s review and was presented to users in official channels under a legitimate-sounding name, making the Apple platform’s trust endorsement the biggest lever the scammers exploited.

ZachXBT Investigation: The Funds’ Destination Appears to Be a CEX, and the Chance of Recovery Is Very Low

ZachXBT’s on-chain analysis confirmed that the stolen 5.92 bitcoins flowed through a wallet identified as a CEX deposit address, and it noted that a large number of distributed deposit addresses suggests the thieves may have made a second round of fund transfers via an instant exchange, further increasing the difficulty of tracing.

ZachXBT explicitly criticized the CEX for “only showing compliance when it aligns with its own interests,” and pointed out that after the exchange obtained an EU MiCA license in November 2025, it was revoked just about three months later in February 2026—showing it has deeper compliance issues. He also noted that illicit services are still transferring funds through brokers and personal accounts on that CEX platform, while regulators have taken virtually no action to date.

Security Experts’ Warning: The Core Rules for Protecting Your Recovery Phrase

After the incident was revealed, Pudgy Penguins’ security lead Beau issued an urgent warning, emphasizing that all hardware wallet users should follow the following security principles:

Key Rules for Recovery Phrase Protection

Never enter a recovery phrase on a connected device: Whether it’s a laptop or a phone, a connected environment should not be used as a recovery phrase entry setting

Download or update requests default to “suspicious”: Until you verify it yourself, any message urging users to download or update wallet software should be treated as a scam

Scam channels are diverse: Counterfeit wallet apps spread via email, fake ads, and physical mail; official app stores are also not absolutely safe

Go directly to official sources: Installing Ledger Live should go directly to the official website (ledger.com), not through searching in the App Store

Frequently Asked Questions

Why did a counterfeit Ledger app appear in the Apple App Store?

The counterfeit app exploited weaknesses in the app store’s review process to pass publication review using a highly similar name and interface. Ordinary users can’t reliably tell truth from falsehood based on the store page alone. When installing Ledger Live, it’s recommended to go directly to the Ledger official website (ledger.com) to download, completely bypassing the app store search step.

Why does entering a recovery phrase lead to bitcoins being stolen immediately?

A recovery phrase is a complete backup key that fully restores a hardware wallet. Anyone who has the 24-word recovery phrase can rebuild the wallet on any device and control all assets. The core purpose of the counterfeit app is to诱导 users into entering the recovery phrase; once the back-end server receives it, the asset transfer is executed immediately, and the entire process is completed within minutes.

Is it possible to recover the stolen bitcoins?

According to ZachXBT’s on-chain analysis, the funds have flowed to deposit addresses suspected to belong to a CEX and may have undergone a second transfer via an instant exchange. ZachXBT stated clearly that he does not believe a CEX would assist in recovering funds. Combined with recent compliance disputes stemming from the exchange’s MiCA license being revoked, the real likelihood of asset recovery is extremely low.