CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious Ledger Live macOS app on Apple App Store facilitates $9.5M crypto theft via seed phrase harvesting

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A counterfeit Ledger Live application distributed through Apple’s App Store for macOS compromised approximately 50 users between April 8–11, 2026, resulting in the theft of $9.5 million in cryptocurrency assets. The illicit application, published under the name ‘Leva Heal Limited,’ tricked users into entering seed/recovery phrases, granting attackers full control over victim wallets and enabling fund transfers to attacker-controlled addresses. Funds were subsequently laundered through over 150 KuCoin deposit addresses linked to a centralized mixing service named ‘AudiA6,’ with notable victims including musician G. Love, who lost 5.9 BTC (~$430k). Apple removed the malicious app after reports emerged, but only after significant financial damage was incurred.

Timeline

  1. 14.04.2026 19:37 1 articles · 4h ago

    Malicious Ledger Live macOS app on Apple App Store leads to $9.5M crypto theft via seed phrase harvesting

    A fraudulent Ledger Live application for macOS, distributed through Apple’s App Store under the publisher name ‘Leva Heal Limited,’ was used to trick users into entering seed phrases between April 8 and April 11, 2026. Attackers gained full wallet access, moving stolen assets across Bitcoin, Ethereum, Tron, Solana, and Ripple networks before laundering via KuCoin-linked addresses tied to the ‘AudiA6’ mixing service. Apple removed the malicious app after user reports; KuCoin froze implicated accounts until April 20, with extension possible via law enforcement requests.

    Show sources
    Open in new tab

Information Snippets

  • The malicious Ledger Live macOS app was available on Apple’s App Store under the publisher name ‘Leva Heal Limited’ and not associated with Ledger’s official team.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources

  • Victims entered seed/recovery phrases into the fake app, resulting in unauthorized access to their cryptocurrency wallets and subsequent fund transfers to attacker-controlled addresses.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources

  • Total stolen amount across 50 victims reached approximately $9.5 million, with individual losses including $3.23M, $2.08M, and $1.95M.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources

  • Stolen funds were laundered via more than 150 KuCoin deposit addresses connected to the centralized mixing service ‘AudiA6’; KuCoin froze involved accounts until April 20, 2026.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources

  • Ledger does not distribute a macOS app through Apple’s App Store; only an iOS-compatible version is officially available in the store, and a legitimate macOS desktop app is provided via Ledger’s website.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources

  • Apple removed the malicious app following multiple user reports; the timeline between initial compromise and removal spans approximately three days.

    First reported: 14.04.2026 19:37
    1 source, 1 article
    Show sources