Fake Ledger Live App on Apple Store Leads to $9.5M Crypto Theft
What Happened — Scammers published a counterfeit version of the Ledger Live cryptocurrency‑wallet application on Apple’s App Store. The malicious app harvested users’ private keys and transferred roughly $9.5 million in crypto assets from more than 50 victims.
Why It Matters for TPRM —
- Mobile‑app supply‑chain attacks can bypass traditional vendor vetting processes.
- Compromise of crypto‑wallet credentials results in irreversible financial loss.
- Demonstrates the need for continuous monitoring of third‑party software marketplaces.
Who Is Affected — Crypto‑wallet users, fintech platforms, cryptocurrency exchanges, and any organization that integrates Ledger hardware wallets or recommends Ledger Live to employees or customers.
Recommended Actions —
- Immediately remove the fake Ledger Live app from all managed devices.
- Verify that no unauthorized wallet addresses have been added to legitimate Ledger Live installations.
- Strengthen app‑store vetting controls and enforce multi‑factor authentication for crypto‑asset transactions.
Technical Notes — The malicious app was signed with a valid Apple developer certificate, allowing it to pass Apple’s review process. It operated as a trojan, prompting users to enter their Ledger recovery phrase, which was then exfiltrated to a command‑and‑control server. No known CVE was involved; the attack leveraged a supply‑chain mis‑approval. Source: HackRead