Fake Ledger App Steals Millions in Bitcoin, Crypto From Holders—Including Musician G. Love

A fake Mac app impersonating Ledger’s self-custody bundle led to the nonaccomplishment of much than $9.5 cardinal successful crypto assets from implicit 50 full users successful the past week, according to a new probe from pseudonymous on-chain sleuth, ZachXBT.

The application, which pretended to beryllium the Ledger Live app from which users tin negociate assets held by Ledger hardware devices, impacted victims from April 7 until April 13, erstwhile it was removed from the Apple App Store. 

“Stolen funds were laundered via 150+ KuCoin deposit addresses tied to AudiA6, a centralized mixing work that charges precocious fees to launder illicit funds,” ZachXBT posted successful a connection to his Telegram channel.

According to his analysis, astatine slightest 3 victims mislaid much than $1.95 cardinal apiece, with 1 wallet being drained of $3.27 cardinal USDT. Swiped assets included Bitcoin, Solana, XRP, USDT, and others.

Musician G. Love—aka Garrett Dutton, frontman of the long-running stone set G. Love & Special Sauce—was among the victims impacted by the fake app, losing 5.92 BTC valued astir $447,000. He shared his communicative connected X implicit the weekend.

“I had a truly pugnacious time today. I mislaid my status money successful a hack/scam erstwhile I switched my Ledger implicit to my caller machine and by mishap downloaded a malicious Ledger app from the Apple Store,” helium posted connected X connected April 11. “All my BTC gone successful an instant.” 

The fake app would stay successful the App Store for astir 2 much days, according to ZachXBT’s analysis. A typical for Apple did not instantly respond to Decrypt’s request for comment. 

Upon noting that the stolen funds had been traced to KuCoin, the exchange’s enactment squad responded to the musician, indicating that they had frozen a suspicious relationship related to the funds. 

“Please enactment that portion we whitethorn assistance [in] freezing the suspicious relationship upon receipt of applicable accusation oregon a credible complaint, specified actions are inactive taxable to owed ineligible documents and processes to guarantee compliance,” it posted connected X. 

The speech has reportedly been dealing with an summation successful illicit enactment connected its platform, according to ZachXBT. Last month, it was barred from offering entree to U.S. users unless it registered arsenic a overseas committee of trade. Last year, KuCoin was deed with a $14 cardinal fine, the largest ever anti-money laundering good successful Canadian history, by the nation’s fiscal regulator. 

Fake applications and websites are among the astir communal phishing vectors for Ledger users, according to the firm’s dedicated phishing run page, on with fake calls, emails, and letters.The U.S. Attorney's Office for the District of Connecticut precocious recovered $600,000 worthy of crypto assets that had been part of a fraud strategy utilizing fake letters purported to beryllium from Ledger. 

A typical for Ledger did not instantly respond to Decrypt’s request for remark and it has not issued a nationalist connection astir the caller phishing campaign.