Apple (NASDAQ: AAPL) has removed a malicious app from its App Store after it was linked to a $9.5 million crypto theft targeting users of Ledger.
According to blockchain investigator ZachXBT, the app impersonated Ledger Live and deceived more than 50 victims between April 7 and April 13, resulting in significant losses across multiple blockchain networks.
The attack spanned a wide range of ecosystems, including Bitcoin (BTC), Ethereum Virtual Machine (EVM), Tron (TRX), Solana (SOL), and XRP Ledger (XRPL), highlighting the broad scope of the exploit.
Attackers used spoofed app to steal recovery phrases
The fraudulent app was designed to closely mimic the official Ledger Live interface, allowing it to appear legitimate to unsuspecting users. Once installed, the app prompted victims to enter their recovery phrases, giving attackers full access to their wallets.
Apple confirmed that the developer, operating under the name “SAS Software Company,” used deceptive tactics to bypass review processes and present the app as a trusted tool for managing digital assets.
Following the discovery, Apple permanently removed both the app and the associated developer account.
Stolen funds laundered through KuCoin-linked addresses
After the funds were stolen, attackers moved assets through more than 150 deposit addresses linked to KuCoin, using a centralized mixing service known as AudiA6.
The service reportedly charges high fees to obscure transaction trails, making it more difficult to trace illicit activity across blockchains.
The incident also comes amid growing scrutiny of KuCoin. The exchange has seen rising levels of illicit activity over the past year and was banned from onboarding new EU users by Austrian regulators in February 2026, shortly after receiving its MiCA license in late 2025. Previously, KuCoin paid over $300 million in fines to U.S. authorities in January 2025 to settle anti-money laundering violations.
Victims report significant losses
Among those affected was musician Garrett Dutton, who reported losing 5.9 Bitcoin, valued at approximately $420,000, after installing the fake app and entering his credentials.
The case underscores the risks associated with phishing attacks in the crypto space, particularly when malicious actors successfully imitate trusted platforms.
