A fake version of Ledger Live distributed through Apple’s App Store drained at least $9.5 million in cryptocurrency from more than 50 victims across multiple blockchains in a phishing campaign that ran from April 7 to April 13, CoinDesk reported.

The malicious app mimicked the official Ledger wallet interface and prompted users to enter their recovery phrases, allowing attackers to take control of their wallets and steal funds held in Bitcoin, Ether, Solana, Tron, and XRP-related assets, the news outlet said. 

One victim, identified on X as @glove, lost 5.9 Bitcoin, after downloading what he believed was the legitimate Ledger app while setting up a new computer. He described the sum as his retirement savings accumulated over a decade, CoinDesk said. 

Three other victims lost millions of dollars in cryptocurrencies over the course of three days. The stolen funds were routed through more than 150 KuCoin deposit addresses and linked to AudiA6, which operates as a centralized crypto mixing service used to obscure illicit flows, according to the report. 

Apple removed the fake Ledger Live app from the App Store, but questions remain over how it passed the company’s review process and how long it was available for download. The scale of the losses and the app’s presence on Apple’s official marketplace could expose the company to legal risk, one investigator told the news outlet. 

Read more at CoinDesk