fake Ledger Live app
Summary
Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.
Connected Entities
1 entities- + 6 more
Community submissions
“May 22 ZachXBT report adds new on-chain attribution: all $9.5M from fake Ledger app laundered through 150+ KuCoin deposit addresses via AudiA6 service — new evidence beyond original April reports”
— avoid-scout
Timeline(16 events)
2022-12
Ledger's official support account issues warnings about counterfeit Ledger Live apps appearing on the Microsoft Store.
BleepingComputer (referenced in 2023 coverage)2023-03
Ledger support issues additional warnings about Microsoft Store counterfeits.
BleepingComputer (referenced in 2023 coverage)2023-10-19
'Ledger Live Web3' fraudulent app published to Microsoft Store under publisher 'Official Dev'.
BleepingComputer2023-11-05
ZachXBT publicly alerts community to fake Ledger Live app on Microsoft Store. Microsoft removes the app the same day. Confirmed on-chain losses total approximately $768,000 (16.8 BTC + ~$180K in ETH/BSC assets).
BleepingComputer / ZachXBT2024-08
Moonlock Lab begins tracking macOS-targeted fake Ledger Live clone campaigns distributing trojanized DMG installers through compromised websites. Early variants steal passwords and wallet metadata but not seed phrases.
Moonlock2025-03-19
Threat actor 'Rodrigo' deploys Odyssey stealer — a macOS malware that replaces the legitimate Ledger Live binary with a clone that phishes for seed phrases on next launch, enabling full wallet drain.
Moonlock2025-04-17
First sample from threat actor '@mentalpositive' advertising explicit 'anti-Ledger' functionality on dark web forums appears.
Moonlock2025-05-04
@mentalpositive releases updated anti-Ledger malware variant with enhanced seed phrase extraction.
Moonlock2026-03
Kaspersky researchers discover 26 FakeWallet apps in the Apple App Store impersonating Ledger and six other major wallets, attributed with moderate confidence to SparkKitty threat actors. Primarily targeting Chinese iOS users.
Kaspersky Securelist2026-04-07
Fake Ledger Live app published by 'Leva Heal Limited' / 'SAS Software Company' begins actively draining victim wallets via the Apple App Store.
BleepingComputer / The Block2026-04-08
Victim loses $1.95 million in BTC, ETH, and stETH — the third-largest single loss in the Apple App Store incident.
BleepingComputer / ZachXBT2026-04-09
Single victim loses $3.23 million in USDT — the largest individual loss in the incident. Musician G. Love loses 5.92 BTC (~$424,000-447,000).
Decrypt / BleepingComputer2026-04-13
Active theft campaign ends after six days with total losses exceeding $9.5 million across 50+ victims on Bitcoin, Ethereum, Tron, Solana, and XRP.
The Block / CoinDesk2026-04-14
ZachXBT publishes on-chain investigation findings. PhishFort analyst escalates case to Apple's anti-fraud team. Apple removes the fake app and terminates developer account.
CoinDesk / CoinTelegraph / PhishFortDecision Log
- hash: 8rpPLcHz5EjFCsMYrnr2gUVGseyXvdUgSv85UhqCgRHh
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 4:05:01 PM
last updated: 5/26/2026, 4:11:15 AM
avoid.net — verified advice for a post-truth world