• ZachXBT linked $9.5M in theft from a fake Ledger Live Apple App Store app to an alleged 150+ Kucoin deposit addresses.
• Musician G. Love lost nearly 6 BTC; the 3 largest victims each lost 7 figures between April 7-13.
• Apple did end up removing the phony application from the App Store.

ZachXBT posted his findings on Tuesday, April 14, on X, laying out how the fake app victimized more than 50 users between April 7 and 13 across Bitcoin, EVM, Tron, Solana, and Ripple networks. Apple removed the app the day prior to his post.

The three largest victims each lost seven figures. One user lost $3.23 million in USDT on April 9. A second victim lost $2.079 million in USDC on April 11. A third lost $1.95 million worth of crypto on April 8, including 20.64 BTC, 211 stETH, and 70 ETH.

Another victim among those defrauded was musician Garrett Dutton, known professionally as G. Love, who lost nearly 6 BTC to the fake app. ZachXBT identified AudiA6 as the centralized mixing service used to move the stolen funds.

He described AudiA6 as a service that charges high fees to process illicit money, and alleged that stolen funds moved through Kucoin deposit addresses connected to that service. The investigator also claimed that a separate threat actor laundered $3.5 million from the Bitcoin Depot incident through more than 25 Kucoin deposit addresses in the days before the Ledger-related theft.

On X, after Kucoin’s official X account posted a random A & B vote post, ZachXBT decided to respond with his accusations. “C) Want to explain to the community why Kucoin allowed a threat actor to launder $9.5M+ tied to a fake Ledger app via 150+ Kucoin deposit addresses over the past week?” ZachXBT asked. The onchain investigator added:

“A few days before that another threat actor laundered $3.5M+ from the Bitcoin Depot incident via 25+ Kucoin deposit addresses. You’ve enabled instant exchanges abusing KYC and entities like AudiA6, a centralized mixer for illicit actors to operate freely. Kucoin deserves to have regulators come after its business once again.”

When Kucoin’s official X account responded to the controversy by asking for a UID and ticket number to look into the matter, ZachXBT replied with a photo of an infant’s ID document, implying the exchange’s know-your-customer (KYC) verification process is inadequate.

Kucoin had not publicly responded to those specific allegations as of the time of publication. The UID and ticket number response was likely from a customer service agent.

ZachXBT said the situation may provide grounds for a class action lawsuit against Apple for hosting the fraudulent app. Theft addresses published by ZachXBT span multiple blockchains, including Bitcoin, Ethereum, Tron, Solana, and Ripple, identifying specific wallets connected to each victim.

The fake Ledger Live app’s presence on Apple’s App Store raised broader questions about how malicious software clears Apple’s review process and how long it can operate before removal.

In a note shared with Bitcoin.com News, Ledger‘s CTO Charles Guillemet stressed that his firm will never ask for a seed phrase. “Ledger will never ask for your 24 words. If anyone, or any app, is asking for your 24 words, assume something is wrong,” Guillemet explained.

“Ledger consistently reminds the community about this. You cannot trust the software environment around you – not your browser, not your app store, not your desktop. Attackers operate wherever the opportunity exists, and that includes official distribution platforms. The only protection that holds is keeping your private keys on a dedicated hardware device with a secure screen, like a Ledger signer, and never entering your seed phrase into any app or website. Your 24 words are your wallet,” the hardware wallet firm’s CTO added.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。