American musician G. Love (real name Garrett Dutton) disclosed on April 11 that after downloading a counterfeit Ledger Live application from the Apple Mac App Store and entering a 24-word recovery phrase when prompted, he immediately lost 5.92 bitcoins, which amounts to more than $424,000 based on the market rate.
What Happened: A Fatal Mistake When Migrating Devices
G. Love said the incident occurred during the process of migrating his Ledger hardware wallet to a brand-new Apple computer. After searching for “Ledger Live” in the Mac App Store, he downloaded a counterfeit app with an interface and appearance that closely mimicked the real one, and entered the complete 24-word recovery phrase as prompted. After submitting the recovery phrase, the attacker completed the asset transfer instantly, and 5.92 bitcoins disappeared within minutes.
In the post, G. Love said, “This is my retirement savings I’ve worked hard to build up over the past decade. If you’re going out, you have to be careful.”
The core problem in this case is that the counterfeit application successfully passed the Apple App Store’s review and was presented to users in official channels under a legitimate-sounding name, making the Apple platform’s trust endorsement the biggest lever the scammers exploited.
ZachXBT Investigation: The Funds’ Destination Appears to Be a CEX, and the Chance of Recovery Is Very Low
ZachXBT’s on-chain analysis confirmed that the stolen 5.92 bitcoins flowed through a wallet identified as a CEX deposit address, and it noted that a large number of distributed deposit addresses suggests the thieves may have made a second round of fund transfers via an instant exchange, further increasing the difficulty of tracing.
ZachXBT explicitly criticized the CEX for “only showing compliance when it aligns with its own interests,” and pointed out that after the exchange obtained an EU MiCA license in November 2025, it was revoked just about three months later in February 2026—showing it has deeper compliance issues. He also noted that illicit services are still transferring funds through brokers and personal accounts on that CEX platform, while regulators have taken virtually no action to date.
Security Experts’ Warning: The Core Rules for Protecting Your Recovery Phrase
After the incident was revealed, Pudgy Penguins’ security lead Beau issued an urgent warning, emphasizing that all hardware wallet users should follow the following security principles:
Key Rules for Recovery Phrase Protection
Never enter a recovery phrase on a connected device: Whether it’s a laptop or a phone, a connected environment should not be used as a recovery phrase entry setting
Download or update requests default to “suspicious”: Until you verify it yourself, any message urging users to download or update wallet software should be treated as a scam
Scam channels are diverse: Counterfeit wallet apps spread via email, fake ads, and physical mail; official app stores are also not absolutely safe
Go directly to official sources: Installing Ledger Live should go directly to the official website (ledger.com), not through searching in the App Store
Frequently Asked Questions
Why did a counterfeit Ledger app appear in the Apple App Store?
The counterfeit app exploited weaknesses in the app store’s review process to pass publication review using a highly similar name and interface. Ordinary users can’t reliably tell truth from falsehood based on the store page alone. When installing Ledger Live, it’s recommended to go directly to the Ledger official website (ledger.com) to download, completely bypassing the app store search step.
Why does entering a recovery phrase lead to bitcoins being stolen immediately?
A recovery phrase is a complete backup key that fully restores a hardware wallet. Anyone who has the 24-word recovery phrase can rebuild the wallet on any device and control all assets. The core purpose of the counterfeit app is to诱导 users into entering the recovery phrase; once the back-end server receives it, the asset transfer is executed immediately, and the entire process is completed within minutes.
Is it possible to recover the stolen bitcoins?
According to ZachXBT’s on-chain analysis, the funds have flowed to deposit addresses suspected to belong to a CEX and may have undergone a second transfer via an instant exchange. ZachXBT stated clearly that he does not believe a CEX would assist in recovering funds. Combined with recent compliance disputes stemming from the exchange’s MiCA license being revoked, the real likelihood of asset recovery is extremely low.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Trump's Crypto Backing Reaches Historic $1.2B, Sparking National Security Concerns
Gate News message, April 21 — Federal filings reveal that Trump and the Republican Party have accumulated a historic $1.2 billion cash stockpile for the November midterms, with cryptocurrency executives playing a major role in funding the GOP war chest. Democrats currently hold only $261 million in
GateNews6h ago
New York State Sues Two Major Crypto Exchanges for Alleged Violations of State Administrative Law
New York State filed lawsuits against two major crypto exchanges, alleging violations of its administrative law and noncompliance with the regulatory framework for digital asset trading platforms.
Abstract: New York State filed lawsuits against two major crypto exchanges, alleging violations of its administrative law and noncompliance with the regulatory framework for digital asset trading platforms. The action signals intensified state oversight of crypto markets.
GateNews7h ago
Crypto Hack Draining $300M May Slow Wall Street's Blockchain Ambitions
Gate News message, April 21 — A weekend hack that drained nearly $300 million from a small crypto project and triggered a $10 billion run on the largest decentralized lending platform may slow Wall Street's growing interest in blockchain technology, according to a report from Jefferies LLC released
GateNews7h ago
AI16Z and ELIZAOS Creators Face Class Action Lawsuit Over False Advertising and Unjust Enrichment
Gate News message, April 21 — Burwick Law has filed a federal class action lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against the creators of AI16Z and ELIZAOS, including Walters, alleging violations of consumer protection laws, false advertising, and unjust
GateNews8h ago
Philippines SEC Warns Against dYdX and Six Other Unregistered Crypto Platforms
Gate News message, April 21 — The Philippine Securities and Exchange Commission (SEC) has warned the public against using dYdX and six other cryptocurrency platforms, stating they are not registered or authorized to solicit investments from local users. The warning aims to protect Filipino
GateNews9h ago
KelpDAO $290M Exploit Attributed to North Korea's Lazarus Group
LayerZero attributed a $290 million exploit of KelpDAO's cross-chain rsETH configuration to North Korea's Lazarus Group on April 18, describing the attacker as a "highly-sophisticated state actor." According to LayerZero, the incident was limited to KelpDAO's rsETH setup and did not spread to other
CryptoFrontier11h ago
