Users lose $9.5M to fake Ledger wallet app on the Apple App Store

Posted by CharlesW 2 days ago

Comments

Comment by post_break 2 days ago

Thankfully the App Store doesn't allow side loading, because it completely stops fraud like this. At least that's the number one reason why I keep getting told if we allow side loading this will happen.

Comment by victorbjorklund 2 days ago

Is there more scams of web3 in the App Store or on the open internet? Not defending Apple but kind of a strawman to claim they said it stops 100% of fraud and abuse. That’s like saying seatbelts don’t work because people still get hurt in car crashes.

Comment by chocochunks 2 days ago

The App Store is totally safe, so I don't need to think about what I download or do any due diligence!

Comment by tim333 1 day ago

Apple are pretty bad for this and I don't think it's the first time it's happened. A lot of the problem is if you search for some app in the iOS app store the top result is a paid ad and the established app you want is the second result so people who don't know that click on the top one and lose their funds.

Also they should check the app but wallet security is tricky - you can put subtle vulnerabilities in that are hard to spot.

Comment by nathanmills 1 day ago

And don't you think its a strawman to compare only being and to install "" approved "" ($100/year for apple) software to a seatbelt? There is no use case for not wearing a seatbelt. That is not true for being able to install software.

Comment by httgbgg 1 day ago

Plenty of people disagree that there is no use case to not wearing a seatbelt. That you find it impossible to imagine makes it an even better analogy actually.

Comment by array_key_first 1 day ago

People can disagree with whatever, everyone is allowed to be stupid.

But most reasonable people agree there's no tangible use case to not wearing a seatbelt. There are infinite tangible use cases to using software outside the app store, that reasonable people can all acknowledge.

Comment by idle_zealot 2 days ago

Eh, kinda a weak argument. Too easy to counter with "but sideloading would let that happen more!" That might even be right, and a difference in amount is important. There will never be a totally secure system, after all.

I think the actual problem is with how the App Store changes the way people think about and relate to software. The fact is, running code on your computer is dangerous. You are trusting it with control over its operations. The responsible thing to do is provide platform-level safeguards (permissions systems, sandboxing) and engender a general understanding that you should only run an app vetted by someone you would hand your phone to.

This is fundamentally incompatible with software as a market, of course, so this path will never be taken.

Comment by throw1234567891 2 days ago

If they did, we’d be reading about such cases daily.

Comment by tadfisher 2 days ago

Source article: https://www.coindesk.com/business/2026/04/14/a-fake-ledger-a...

Choice quote:

> Blockchain investigator ZachXBT later traced the stolen 5.92 BTC [0], showing it was rapidly funneled through a series of transactions into KuCoin deposit addresses, consistent with a broader laundering pattern identified across the incident.

Ah, there's nothing else quite like a Seychelles-based cryptocurrency exchange which was booted from the US for facilitating money laundering. This is good for Bitcoin.

[0]: https://t.me/investigations/313#

Comment by hnburnsy 2 days ago

So certainly the DUNS, phone number, and physical address information will give up the perpetrators, thank goodness for Apple developer registration.

Comment by pixel_popping 2 days ago

Entering your seed phrase with that much money on a phone is really non-sense :/

Comment by basilikum 2 days ago

> people entered their seed phrases into the app, then discovered their wallets were immediately drained.

Why did they cash out immediately? Wouldn't it be much smarter to send the seed phrase to a server and stay undetected for longer just collecting seed phrases until you sweep them all at once?

Comment by alasano 2 days ago

maybe they had a check to determine total value of all collected seeds and then triggered auto sweeps from a certain threshold to guarantee a minimum.

Not sure what the game theory optimal way of stealing is!

Comment by basilikum 2 days ago

That would make sense.

But perhaps they just made a transaction directly from the app to a hardcoded address. Not making any additional network requests might decrease the chance of being flagged by automated systems in the Appstore review process. Then again you could just disguise these requests as ordinary block chain connections.

I'm probably over thinking this and it was just a quick and dumb money grab.

Comment by basilikum 2 days ago

Game theory of cybercrime is way too interesting.

Comment by cank 1 day ago

a bird in the hand is worth much more than ten in the bush. The 'collect and sweep' strategy is extremely risky because seeds are perishable. You're racing against the app getting nuked and the users rotating keys.

Comment by basilikum 1 day ago

But would people actually know and rotate keys? The moment the app gets nuked you could grab all the money.

Comment by dude250711 2 days ago

Unidirectional wall garden.

Comment by hnburnsy 2 days ago

Here is the archived App store page...

https://archive.ph/4RVLf

Comment by 2OEH8eoCRo0 2 days ago

Apple should be liable for this.

If Walmart sells a dangerous product, even unknowingly, they can be liable. Why are digital stores different?

Comment by alasano 2 days ago

If apple were liable for this you could do a double dip where you use your own fake app to "steal" money from a massive wallet you own and get apple to pay you back for "your loss". In addition to your other ill gotten gains.

Comment by xethos 1 day ago

Only if you made it past Apple's developer review, which is their most public argument for why software must be vetted by Apple first. So are they infallible (preventing the headline and refuting your argument), or is there a point in time when some users know better than Apple, when their developer review does as much harm as good, and the Apple App Store is not the safe haven Apple likes to publically claim?

Comment by nathanmills 1 day ago

That's still fraud.

Comment by alasano 1 day ago

Of course it is.

Comment by pwillia7 2 days ago

Walmart wasn't created late enough in the 2nd gilded age to effectively lobby the government against having any rules

Comment by scotty79 2 days ago

Apple should be on the hook for that. If you moderate, you are responsible for damage.

Comment by m132 2 days ago

Censor, not moderate. Let's be honest.

Comment by throw1234567891 2 days ago

Contact your representative?

Comment by LunaSea 2 days ago

I thought that Apple was reviewing each and every app which was the reason that justified them getting a silly 30% margin from all app revenues?

Comment by pants2 2 days ago

Apple only banned they app because they didn't get a 30% cut of the stolen crypto

Comment by Ekaros 2 days ago

I thought that Apple ecosystem had no bad apps as it prevented sideloading. I have heard that as reasoning to prevent it multiple times here on HN.

Comment by armadyl 2 days ago

"A plane crashed? See! FAA regulations are useless and the agency needs to be disbanded."

Comment by array_key_first 1 day ago

The difference is nobody is saying that FAA regulations make plane crashes impossible.

Many people think what apple is doing makes malware impossible. That's not the case, the app store has plenty of malware and it's trivial to get malware on the app store.

The app store is trying to solve a subset of a subset of a subset of a subset of the problem, and then it doesn't even solve that. Yes, that means it sucks ass as a solution, unfortunately.

Or, to be more clear: the problem space is getting scammed. Apple is only even trying to solve an extraordinarily small subsection of that problem space.

You don't need an app to scam someone. And if you do have an app, it doesnt have to be outside the app store. And even if it's on the app store, it doesn't have to be malicious.

Even if apple did somehow, magically, eliminate malware there would still exist perfectly legitimate apps that can be used for scamming. And that would only address a tiny part of scamming anyway, because the vast majority of scams are not done using an app.

Comment by 2muchcoffeeman 2 days ago

Does this mean that because seatbelts and air bags exist to save my life in a crash I should be less careful driving?

Like staying warm, it’s all about layers.

Comment by LunaSea 1 day ago

If Apple's reviews aren't done correctly, shouldn't we then get reimbursed for the additional 30% paid by the consumer?

Comment by throwaway260415 2 days ago

[dead]

Comment by rafaelmn 2 days ago

hOw WOulD mY graNDparNtS AvOiD getTiNG sCAmmED iF APPLE did nOT locK dOWn evEryThinG ?

Comment by SrslyJosh 2 days ago

Not "investing" in cryptocurrency would be a good start. =)

Comment by xethos 1 day ago

Apple takes a proactive stance towards apps that can even be used to access adult content. That's why Tumblr had a hard time.

Saying the mere ability to access adult content is very likely to get one shut down, but crypto wallets are fine, feels like a double standard

Comment by wiseowise 2 days ago

But have you thought of children? God forbid they give money to illegitimate scammers when legitimate one aren’t getting enough cash from legal gambling like loot boxes.

Comment by throw1234567891 2 days ago

ThEY sHoUlD Pay AttENtIoN tO WhAt tHey aR3 d01n6!

Comment by 2OEH8eoCRo0 2 days ago

I think people are less safe overall because they believe the walled garden is safe and they let their guard down.

Comment by throw1234567891 2 days ago

[flagged]

Comment by irl_zebra 2 days ago

This should not have happened. But I have a hard time finding any sympathy for cryptocurrency folks. The quote from the article:

"I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant."

Leaves me really shaking my head. If someone has the knowledge to even buy bitcoin or cryptocurrency, I imagine they have enough knowledge to know how utterly crime-ridden and risky of a speculation it is. It's like if someone decides to put their retirement fund into buying bulk illegal drugs and then selling them at a massive markup. Pretty risky, potential high upside, but given they assessed and then accepted the risk, hard to feel bad when they get robbed of all their drugs and lose their retirement funds.

Comment by tencentshill 2 days ago

They only needed it to exist on the app store for a week before stealing millions with zero recourse. These wealthy crypto people need to stop being cheap and hire financial advisors. The only reason for not doing so is if it was gained illegally in the first place.

Comment by wmf 2 days ago

A lot of people got into crypto because they want to manage their own money. They aren't going to use crypto financial advisors.

Comment by SrslyJosh 2 days ago

> A lot of people got into crypto because they want to manage their own money

uncontrollable laughter