A rogue wallet app slipped through Apple’s review process and quietly stole millions. Here’s what happened — and why it matters more than most people realize.
There’s something deeply ironic about this story. Our own Apple app submission has been sitting in review limbo for months. Apple won’t approve it because we’re a “crypto” app — even though we’re essentially a media site that writes guides and news. Apparently, that’s too risky.
Meanwhile, a fake Ledger wallet app made it onto the App Store with no problem. It drained $9.5 million from real people in under a week.
Make that make sense.
What Actually Happened
Between April 7 and April 13, 2026, a malicious clone of the Ledger Live app was live on Apple’s App Store. It looked legitimate. The branding was similar. It passed whatever review process Apple runs.
Victims downloaded it. They set it up. And when the app asked them to enter their seed phrase — a step that no real hardware wallet app should ever require — they did it.
That was all it took.
Once someone enters a seed phrase into a malicious app, it’s over. The attacker has full, permanent access to every wallet tied to that phrase. No further action needed on the victim’s part.
The Numbers Are Brutal
More than 50 victims were identified across Bitcoin, Ethereum, Solana, Tron, and XRP.
The three largest single losses:
- $3.23 million in USDT — drained on April 9
- $2.08 million in USDC — drained on April 11
- $1.95 million in BTC, ETH, and stETH — drained on April 8
Total losses confirmed: at least $9.5 million.
One victim, posting on X under the handle @glove, lost 5.92 BTC. His entire savings. Accumulated over a decade. Gone in a single session.
“I lost my retirement fund in a hack/scam,” he wrote. “All my BTC gone in an instant.”
He added: “I worked ten years for this. Be careful out there.”
Where Did the Money Go?
Blockchain investigator ZachXBT traced the stolen funds after the @glove case went public. The trail led to over 150 KuCoin deposit addresses, all connected to a service known as AudiA6 — a centralized crypto mixing operation that charges high fees specifically to obscure where stolen funds came from.
KuCoin’s role here is notable. Austrian regulators barred the exchange from onboarding new EU users in February 2026, just months after it received a MiCA license. And in 2025, KuCoin paid over $300 million to U.S. authorities to settle anti-money laundering violations.
ZachXBT has also suggested this incident may be large enough to support a class-action lawsuit against Apple.
Hardware Wallets Are Safe. Humans Are Not.
Here’s the thing people miss when stories like this break.
Ledger hardware wallets work. The security model is sound. Your private keys never leave the device. That part held.
What failed was human trust. Someone downloaded an app from what they assumed was a trusted source — Apple’s own App Store — and followed the on-screen instructions. The instructions asked for a seed phrase. They typed it in.
No hardware wallet in the world can protect you from that. The moment a seed phrase leaves your hands, every wallet tied to it is compromised. Doesn’t matter how good the hardware is.
This is the uncomfortable truth about crypto security. The tech can be perfect. The human layer is always the vulnerability.
Apple Has Some Questions to Answer
The fake Ledger app has since been removed. But the questions that follow its removal are uncomfortable.
How did it pass review? How long was it live before Apple acted? Why does Apple’s review process catch crypto media apps (like ours, apparently) but miss malicious wallet clones that steal millions?
We’re not being flippant. We genuinely have an app submission that’s been pending for months. Apple flagged it over crypto content concerns. We write guides and cover news — that’s it. No transactions, no wallets, no financial instruments.
The same platform that holds our legitimate media app to an unusually high bar somehow let a fake wallet app drain nearly ten million dollars from real people in a week.
This Fits a Larger Pattern
This didn’t happen in a vacuum. In 2025, crypto users lost an estimated $17 billion to hacks, scams, and fraud. Social engineering — tricking people rather than breaking code — was the dominant attack vector.
Fake apps. Phishing sites. Impersonation campaigns. None of these require sophisticated technical skills. They require one thing: convincing someone to take an action they wouldn’t take if they knew the truth.
We covered this threat in detail in our guide on how to claim crypto airdrops safely, published yesterday. One of the victims we mentioned had already lost $420k to this same campaign before the full $9.5 million picture emerged.
If you haven’t read that guide yet — read it.
The Seed Phrase Rule. No Exceptions.
There is one rule in crypto that, if you never break it, eliminates an enormous category of risk.
Never enter your seed phrase into any app, website, or form. Ever.
Not to “restore” your wallet. Definitely not to “verify” your identity. Never to claim tokens or airdrops. Not to update security settings. Not for any reason.
A seed phrase is a master key. The only legitimate use for it is restoring access to your own wallet on a device you physically own and control. Anyone asking for it in any other context is trying to steal from you.
The Ledger hardware wallet never asks for your seed phrase to function. If an app does — real or fake — close it immediately.
Support Our Work
If you found this helpful, consider signing up on BloFin (Non-KYC) or Bybit using our referral links. Your support keeps this content free and flowing.
What to Do Right Now
If you own a hardware wallet, here’s a quick safety checklist:
- Only download Ledger Live from ledger.com directly. Bookmark the URL. Don’t search for it.
- Check the developer name before installing any wallet app. Legitimate Ledger apps come from Ledger SAS.
- Your seed phrase lives on paper, in a secure location. It should never be typed anywhere.
- Review your installed apps. If you have any wallet apps you don’t remember downloading, remove them.
- If you’ve entered a seed phrase anywhere recently, assume that wallet is compromised. Move funds immediately to a fresh wallet with a new seed phrase.
Also worth reviewing our piece on fake crypto airdrops and the warning signs to watch for — the psychological tactics used in airdrop phishing and fake wallet apps are essentially identical.
The Takeaway
Hardware wallets remain one of the safest ways to store crypto. That hasn’t changed. What this story confirms is that security isn’t just about the device — it’s about every step in the process, including where you download software.
Apple’s App Store carries an implied guarantee of safety. That guarantee failed here. Badly.
Nine and a half million dollars. Fifty victims. Some of them lost everything they’d saved.
“Be careful out there” is easy to say. What it actually means is: verify everything, trust nothing by default, and never — under any circumstances — hand your seed phrase to an app.
Stay safe out there. If you found this useful, check out our recent update on the Bored Ape Lawsuit that finally settled. Also, go and claim your exclusive OKX bonus below.
Credit: Source link
