A fake Mac app impersonating Ledger’s self-custody software led to the loss of more than $9.5 million in crypto assets from over 50 total users in the last week, according to a new investigation from pseudonymous on-chain sleuth, ZachXBT.

The application, which pretended to be the Ledger Live app from which users can manage assets held by Ledger hardware devices, impacted victims from April 7 until April 13, when it was removed from the Apple App Store. 

“Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing service that charges high fees to launder illicit funds,” ZachXBT posted in a message to his Telegram channel.



According to his analysis, at least three victims lost more than $1.95 million apiece, with one wallet being drained of $3.27 million USDT. Swiped assets included Bitcoin, Solana, XRP, USDT, and others.

Musician G. Love—aka Garrett Dutton, frontman of the long-running rock band G. Love & Special Sauce—was among the victims impacted by the fake app, losing 5.92 BTC valued around $447,000. He shared his story on X over the weekend.

“I had a really tough day today. I lost my retirement fund in a hack/scam when I switched my Ledger over to my new computer and by accident downloaded a malicious Ledger app from the Apple Store,” he posted on X on April 11. “All my BTC gone in an instant.” 

The fake app would remain in the App Store for nearly two more days, according to ZachXBT’s analysis. A representative for Apple did not immediately respond to Decrypt’s request for comment. 

Upon noting that the stolen funds had been traced to KuCoin, the exchange’s support team responded to the musician, indicating that they had frozen a suspicious account related to the funds. 

“Please note that while we may assist [in] freezing the suspicious account upon receipt of relevant information or a credible complaint, such actions are still subject to due legal documents and processes to ensure compliance,” it posted on X. 

The exchange has reportedly been dealing with an increase in illicit activity on its platform, according to ZachXBT. Last month, it was barred from offering access to U.S. users unless it registered as a foreign board of trade. Last year, KuCoin was hit with a $14 million fine, the largest ever anti-money laundering fine in Canadian history, by the nation’s financial regulator. 

Fake applications and websites are among the most common phishing vectors for Ledger users, according to the firm’s dedicated phishing campaign page, along with fake calls, emails, and letters.The U.S. Attorney's Office for the District of Connecticut recently recovered $600,000 worth of crypto assets that had been part of a fraud scheme using fake letters purported to be from Ledger. 

A representative for Ledger did not immediately respond to Decrypt’s request for comment and it has not issued a public statement about the recent phishing campaign. 

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。