American musician G. Love (real name Garrett Dutton) disclosed on April 11 that after downloading a counterfeit Ledger Live application from the Apple Mac App Store and entering a 24-word recovery phrase when prompted, he immediately lost 5.92 bitcoins, which amounts to more than $424,000 based on the market rate.
What Happened: A Fatal Mistake When Migrating Devices
G. Love said the incident occurred during the process of migrating his Ledger hardware wallet to a brand-new Apple computer. After searching for “Ledger Live” in the Mac App Store, he downloaded a counterfeit app with an interface and appearance that closely mimicked the real one, and entered the complete 24-word recovery phrase as prompted. After submitting the recovery phrase, the attacker completed the asset transfer instantly, and 5.92 bitcoins disappeared within minutes.
In the post, G. Love said, “This is my retirement savings I’ve worked hard to build up over the past decade. If you’re going out, you have to be careful.”
The core problem in this case is that the counterfeit application successfully passed the Apple App Store’s review and was presented to users in official channels under a legitimate-sounding name, making the Apple platform’s trust endorsement the biggest lever the scammers exploited.
ZachXBT Investigation: The Funds’ Destination Appears to Be a CEX, and the Chance of Recovery Is Very Low
ZachXBT’s on-chain analysis confirmed that the stolen 5.92 bitcoins flowed through a wallet identified as a CEX deposit address, and it noted that a large number of distributed deposit addresses suggests the thieves may have made a second round of fund transfers via an instant exchange, further increasing the difficulty of tracing.
ZachXBT explicitly criticized the CEX for “only showing compliance when it aligns with its own interests,” and pointed out that after the exchange obtained an EU MiCA license in November 2025, it was revoked just about three months later in February 2026—showing it has deeper compliance issues. He also noted that illicit services are still transferring funds through brokers and personal accounts on that CEX platform, while regulators have taken virtually no action to date.
Security Experts’ Warning: The Core Rules for Protecting Your Recovery Phrase
After the incident was revealed, Pudgy Penguins’ security lead Beau issued an urgent warning, emphasizing that all hardware wallet users should follow the following security principles:
Key Rules for Recovery Phrase Protection
Never enter a recovery phrase on a connected device: Whether it’s a laptop or a phone, a connected environment should not be used as a recovery phrase entry setting
Download or update requests default to “suspicious”: Until you verify it yourself, any message urging users to download or update wallet software should be treated as a scam
Scam channels are diverse: Counterfeit wallet apps spread via email, fake ads, and physical mail; official app stores are also not absolutely safe
Go directly to official sources: Installing Ledger Live should go directly to the official website (ledger.com), not through searching in the App Store
Frequently Asked Questions
Why did a counterfeit Ledger app appear in the Apple App Store?
The counterfeit app exploited weaknesses in the app store’s review process to pass publication review using a highly similar name and interface. Ordinary users can’t reliably tell truth from falsehood based on the store page alone. When installing Ledger Live, it’s recommended to go directly to the Ledger official website (ledger.com) to download, completely bypassing the app store search step.
Why does entering a recovery phrase lead to bitcoins being stolen immediately?
A recovery phrase is a complete backup key that fully restores a hardware wallet. Anyone who has the 24-word recovery phrase can rebuild the wallet on any device and control all assets. The core purpose of the counterfeit app is to诱导 users into entering the recovery phrase; once the back-end server receives it, the asset transfer is executed immediately, and the entire process is completed within minutes.
Is it possible to recover the stolen bitcoins?
According to ZachXBT’s on-chain analysis, the funds have flowed to deposit addresses suspected to belong to a CEX and may have undergone a second transfer via an instant exchange. ZachXBT stated clearly that he does not believe a CEX would assist in recovering funds. Combined with recent compliance disputes stemming from the exchange’s MiCA license being revoked, the real likelihood of asset recovery is extremely low.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Study Finds Only 3% of Polymarket Traders Are Skilled, Capturing Over 30% of Gains
Gate News message, April 26 — A new academic paper analyzing Polymarket transactions from 2023 through 2025 concludes that the platform's accuracy reflects "the wisdom of an informed minority, not the wisdom of the crowd." The research, revised April 25 by scholars from London Business School and
GateNews2h ago
US Sanctions Iran-Linked Crypto Wallets Holding $344M Frozen by Tether
U.S. Treasury Secretary Scott Bessent announced sanctions on multiple wallets linked to Iran as part of President Donald Trump's efforts to increase economic pressure on the country amid an ongoing ceasefire, according to CNN. The action followed Tether's freeze of $344 million in USDT on Tron,
CryptoFrontier3h ago
CFTC Faces Enforcement Crisis as 24% Staff Cuts Hit Insider Trading Oversight in Crypto and Prediction Markets
Gate News message, April 26 — The U.S. Commodity Futures Trading Commission (CFTC) has cut 24% of its workforce since Donald Trump returned to office, leaving the agency at its lowest staffing level in 15 years amid growing insider-trading risks across crypto, oil futures, and prediction markets. Th
GateNews4h ago
Brazil Bans Polymarket, Kalshi, 26 Other Prediction Platforms
Brazil has enacted a sweeping ban on prediction markets and betting platforms, according to local media and government filings. The two leading prediction markets, Polymarket and Kalshi, were confirmed inaccessible to researchers based in the country, with the Banco Central do Brasil publishing a fo
CryptoFrontier5h ago
22-Year-Old Sentenced to 70 Months for $263M Crypto Theft Laundering
## Sentencing and Charges
California resident Evan Tangeman, 22, was sentenced on Friday to 70 months in federal prison for his role laundering proceeds from a multi-state cryptocurrency theft ring that stole around $263 million in digital assets from victims, according to the U.S. Department of Ju
CryptoFrontier5h ago
Justin Sun Skips Trump Memecoin Event Amid Legal Dispute with World Liberty
Gate News message, April 26 — Justin Sun, one of the largest investors in the TRUMP token, notably did not attend a memecoin-themed event hosted by US President Donald Trump at Mar-a-Lago in Florida this year, marking a significant shift from his prominent appearance at a similar event last year.
T
GateNews6h ago
