Blockchain investigator ZachXBT tied a fraudulent “Ledger Live” iOS app listing to roughly $9.5 million stolen from more than 50 victims in a six-day window. He also traced the alleged laundering flow through 150+ KuCoin deposit addresses connected to an entity he described as a centralized mixer.
Key Takeaways
- A fraudulent “Ledger Live” iOS app listing was linked to roughly $9.5 million stolen from more than 50 victims between April 7 and April 13, per ZachXBT.
- The reported drains spanned Bitcoin, multiple EVM networks, Tron, Solana, and Ripple, pointing to a cross-chain theft pattern rather than a single-network exploit.
- More than 150 KuCoin deposit addresses were cited as part of the routing path to “AudiA6,” which ZachXBT described as a centralized mixing service charging “high fees.”
- Apple removed the malicious app from the App Store after the incidents were flagged, according to ZachXBT.
Fake Ledger Live iOS Listing Tied to $9.5M Drained in Six Days
ZachXBT attributed a wave of wallet drains to a fraudulent “Ledger Live” application that appeared on Apple’s App Store, putting the alleged loss at roughly $9.5 million from more than 50 victims between April 7 and April 13.
The scope matters for traders because the thefts were described as multi-asset and multi-chain. ZachXBT said victims were hit across Bitcoin, multiple EVM networks, Tron, Solana, and Ripple, which frames this as a retail-to-whale drain that can touch stablecoin balances and blue-chip holdings in the same campaign.
ZachXBT said Apple removed the malicious listing after he flagged the incidents in a Telegram post on Tuesday. The packet does not include an independent confirmation of the takedown timing, or whether the losses were driven by one specific listing versus multiple similar impersonation apps.
On-Chain Trail: 150+ KuCoin Deposit Addresses and the “AudiA6” Mixer Claim
The alleged laundering route concentrates around exchange deposit infrastructure. ZachXBT said stolen assets were routed through more than 150 KuCoin deposit addresses tied to “AudiA6,” which he described as a centralized mixing service used to launder illicit proceeds for “high fees.”
That claim is investigator-attributed, and the packet does not substantiate the identity or ownership of “AudiA6” beyond ZachXBT’s description. Still, the concentration around KuCoin deposit addresses is the market-structure detail to focus on, because it implies a repeatable off-ramp path rather than scattered, opportunistic cash-outs.
The KuCoin angle also lands in a sensitive regulatory backdrop. The exchange previously paid more than $300 million in fines to the U.S. government in January 2025 to settle charges related to Anti-Money Laundering violations. In February 2026, Austrian regulators prohibited KuCoin from onboarding new European Union users, despite the firm receiving its MiCA permit last November.
ZachXBT highlighted three of the largest reported victim losses as seven-figure events: $3.23 million in USDT, $2.079 million in USDC, and $1.95 million in combined assets consisting of 20.64 BTC, 211 stETH, and 70 .
That mix is a reminder that these campaigns are not just “small wallet” drains. Stablecoins were hit alongside BTC and ETH-linked exposure, including stETH, a liquid staking token representing staked ETH that trades and transfers like a standard token.
A separate anecdote in the same timeframe shows the common failure mode. On April 12, musician Garrett Dutton (G. Love) reported losing 5.9 BTC after entering his recovery phrase into a similar fraudulent application.
Signals Traders Should Track After the Takedown
The first confirmation traders should look for is whether Apple or Ledger provides a precise timeline for the takedown and whether additional fraudulent “Ledger Live” variants were detected and removed. The removal of a single listing reduces distribution, but it does not answer how many lookalikes were live during the drain window.
Second, the real operational question is whether KuCoin addresses the 150+ deposit- tracing claim with freezes, cooperation steps, or updated controls tied to the alleged flows.
Third, follow-on on-chain movements from the identified KuCoin deposit addresses will matter. Consolidation patterns consistent with a mixer workflow would strengthen the laundering narrative, while fragmented, exchange-to-exchange hops would suggest a broader cash-out network.
Finally, any new regulator actions or restrictions involving KuCoin in the EU or U.S. context would change the risk calculus quickly given the exchange’s cited AML settlement and EU onboarding ban.
What This Says About App-Store Trust and Exchange Exposure
I treat this as a distribution failure first and a chain-specific security story second. Apple removing the app, as ZachXBT described, helps at the margin, but the core exploit is still the same: getting a user to type a 24-word recovery phrase into an impersonation app. Ledger CTO Charles Guillemet’s warning is blunt for a reason: “Ledger will never ask for your 24 words,” and he added that users should never enter their seed phrase into any app or website.
The threshold that matters is whether the KuCoin deposit-address cluster leads to visible enforcement actions like freezes or public cooperation, because that is what turns a one-week drain into a durable change in exchange risk pricing. This development matters in practical terms if the alleged KuCoin-centered laundering route is corroborated and triggers tighter controls that measurably disrupt similar cash-out paths.
Sources
btc$74,247+1.60%
eth$2,314.25+2.82%
usdt$1-0.02%
bnb$614.1+1.03%
xrp$1.36+0.55%
usdc$1-0.01%
sol$83.93+0.03%
trx$0.32+0.95%
doge$0.09+0.00%
ada$0.24+0.09%
bch$436.33+1.92%
link$9+0.13%
xlm$0.16+1.91%
ltc$54.53+1.78%
avax$9.35-0.22%
sui$0.93+0.32%
hbar$0.08-0.82%
uni$3.12+0.01%
dot$1.16-2.25%
etc$8.32+0.13%
algo$0.11+3.50%
atom$1.75+0.67%
fil$0.89-1.36%
vet$0.01-0.08%
