A Fake Ledger App Ran on Apple's App Store for 2 Weeks and Drained $9.5 Million
Apple’s App Store just became the vector for one of the most brazen hardware wallet scams in crypto history — and it ran undetected for two weeks.
A fake Ledger Live app published by a shell account called “Leva Heal Limited” lived inside Apple’s Mac App Store from approximately late March through April 13, 2026. In that window, it drained $9.5 million from at least 50 victims across Bitcoin, Ethereum, Solana, Tron, and XRP — and nobody at Apple noticed until ZachXBT went public.
What Happened
The scam was simple and ruthless. The fake app mimicked Ledger’s legitimate interface but prompted users to enter their 24-word seed phrase — the master key to every wallet it controls. Once entered, attackers had permanent, irrecoverable access to all assets tied to that phrase.
The attackers weren’t amateurs. They engineered the app to look legitimate:
- Fake version history: The app was released as version 1.0 and updated to 5.0 within two weeks, simulating active, ongoing development
- Professional UI clone: The app closely replicated Ledger’s real interface, making it difficult to spot for anyone who wasn’t deeply familiar with the genuine product
- Targeted Mac users: Published to the Mac App Store specifically, where crypto-savvy power users are more likely to be managing hardware wallets
Three victims accounted for the largest losses:
- $3.23 million in USDT drained on April 9
- $2.08 million in USDC taken on April 11
- $1.95 million in BTC, ETH, and stETH stolen on April 8
Stolen funds were immediately laundered through over 150 KuCoin deposit addresses and routed through AudiA6, a centralized mixing service known for high-fee obfuscation of illicit crypto flows.
ZachXBT Blew the Whistle
Blockchain investigator ZachXBT traced the pattern of coordinated thefts, identifying the common thread: victims had all recently downloaded a Ledger app from the Mac App Store. He published his findings on April 13, triggering Apple to pull the app and terminate the “Leva Heal Limited” developer account the same day.
ZachXBT has suggested the incident could form the basis of a class-action lawsuit against Apple for failing to catch the fraudulent app during its review process.
Ledger, the legitimate hardware wallet company, confirmed the app had no affiliation with them and reiterated that the real Ledger Live is only available at ledger.com.
How Did This Pass Apple’s Review?
That’s the uncomfortable question Apple hasn’t answered.
Apple’s App Store review is frequently cited as a security moat — a reason users should trust apps in its ecosystem over sideloaded alternatives. The App Store review team is reportedly thousands of people strong, with automated checks for malware, privacy violations, and policy breaches.
And yet a seed-phrase harvesting app — one of the most well-documented crypto attack vectors in existence — ran for two weeks and stole $9.5 million.
Theories circulating in the community:
- The app likely didn’t contain malicious code at review time, passing static analysis, and only activated the phishing flow after deployment
- The “Leva Heal Limited” entity may have established account history and passed identity checks before submitting the malicious app
- Apple’s reviewers may simply lack the crypto-specific domain knowledge to recognize that prompting for a seed phrase is a red flag
This is not the first fake Ledger app to appear in major app stores — similar scams have appeared on Google Play repeatedly. But the Mac App Store is held to a higher standard. That standard just failed in a $9.5M way.
Why This Matters for Crypto Jobs
The fallout from this incident is going to drive hiring in several directions:
🔒 Security roles are booming. Hardware wallet companies like Ledger, Trezor, and Coldcard will be under pressure to add dedicated App Store monitoring and brand protection teams. If you have experience in brand security, threat intelligence, or digital impersonation takedowns — this is your moment.
🔍 Blockchain forensics is the growth trade of 2026. ZachXBT (operating largely independently) traced and exposed a $9.5M theft before any platform, regulator, or law enforcement agency acted. Firms like Chainalysis, TRM Labs, and Elliptic are staffing up investigators who can do exactly this at scale. The demand for on-chain forensic analysts is accelerating.
🏗️ Crypto-native security engineering. Exchanges and wallet providers need engineers who understand the specific threat models of seed phrase harvesting, app cloning, and social engineering at the protocol level — not just general infosec. If you can code and understand how HD wallets work, you’re rare and in demand.
📋 App review and compliance at platforms. Apple, Google, and any platform hosting crypto-adjacent apps is going to face regulatory and legal pressure to implement crypto-specific review standards. Compliance and policy roles at big tech companies that understand crypto are an emerging niche.
The Bottom Line
Apple’s “walled garden” just got $9.5 million pulled out of it through a hole the size of a seed phrase prompt. The real Ledger app has been available at ledger.com for years — the attack surface was always user behavior combined with platform trust that turned out to be unearned.
If you’re a hardware wallet user: never enter your seed phrase into any app, ever. Legitimate wallet software never needs it.
If you’re a security professional watching this space: the next six months of crypto security hiring will be shaped by incidents exactly like this one.
Looking for security, forensics, or Web3 infrastructure roles? Browse the latest crypto job openings at cryptogrind.com — where the industry’s best teams are actively hiring.
