Millions lost: Fake crypto app distributed via Mac App Store
Around 50 users are said to have been affected by a scam for a week, during which cryptocurrencies worth millions were drained. Apple noticed nothing.
Cryptocurrency (symbolic image): Attackers gained access via a fake Ledger app.
(Image: Velishchuk Yevhen / Shutterstock.com)
For several days, Apple distributed a fake macOS app from the crypto wallet provider Ledger Live, through which almost 10 million US dollars are said to have been drained. CoinDesk reports this. According to the report, there were at least 50 victims affected between April 7 and 13. Bitcoin, Ethereum, Tron, Solana, and XRP were drained.
The sums, equivalent to at least 9.5 million dollars, are said to have already gone through a money laundering service. Ledger Live actually offers a genuine application, but it is distributed via the provider's website. The scam tool, on the other hand, was available for download in the generally considered secure Mac App Store before Apple blocked it after a good week.
Fake app in the App Store, original on the website
The affected individuals had entered their recovery phrase into the scam app. Through this, the criminal app distributors gained full access to the deposited wallets and initiated transactions. One affected person stated that their entire crypto savings, set aside for retirement, were “gone immediately.” One individual lost 5.9 Bitcoin, currently equivalent to around 342,000 Euros.
Videos by heise
CoinDesk was able to find further information about the drained funds via corresponding addresses. The most affected users lost seven-figure sums, with between 1.95 and 3.32 million dollars lost per day. The coins were laundered via a mixing service AudiA6 and a total of 150 KuCoin addresses, it was further stated.
Regularly passed through app review
It remains unclear how such a scam app could have slipped through Apple's supposedly strict app review process. This process is intended to verify the origin of an app and detect fakes. However, in this case, the application passed. Upon launch and use, there were no problems or warnings thanks to the signature.
Typically, users have more trust in apps distributed via the Mac App Store than in those that are available for download on websites and must be installed individually. Ledger has since reacted: CTO Charles Guillemet emphasized that Ledger will “never ask for your 24 words [of the recovery phrase].” Apple has not yet commented. What remains clear is that users should be extremely cautious when entering recovery phrases.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
