Apple removes fake Ledger app that stole $9.5M from crypto investors

[The Cryptovator]

As the title says, Apple removed fake Ledger from their App Store. Some of you may have noticed the recent fake Ledger issues, how almost 50 users lost $9.5M. This is the biggest issue so far for crypto users who have been holding funds in hardware wallets. It could happen with any hardware wallet or software wallet.

We have to take lessons from these mistakes – how people have been losing funds through fake wallet software. The fake wallet software has been uploaded through a “bait-and-switch strategy". The scammer is “SAS Software Company"; I'm not sure if it's possible to take legal action against them. But we have to be careful when downloading software from the app store. Always need to browse the original website and download from there.

[m2017]

As the title says, Apple removed fake Ledger from their App Store. Some of you may have noticed the recent fake Ledger issues, how almost 50 users lost $9.5M. This is the biggest issue so far for crypto users who have been holding funds in hardware wallets. It could happen with any hardware wallet or software wallet.

What did Apple say about this? The company charges a hefty commission for listing apps on the App Store. Why not use this money to compensate the 50 users, at least partially, for their failure to ensure the integrity of the app hosted on their platform? In any case, I believe the company bears some of the responsibility.

We have to take lessons from these mistakes – how people have been losing funds through fake wallet software. The fake wallet software has been uploaded through a “bait-and-switch strategy".

Now, even hadrware wallets (working software) can't be blindly relied upon or trusted for their reliability, and cryptocurrency owners will have to become more vigilant and cautious. The cost of risk becomes very high and the lost $9.5M is proof of this.

The scammer is “SAS Software Company"; I'm not sure if it's possible to take legal action against them.

They probably prepared for this in advance, and it is unlikely that the real perpetrators will be found through “SAS Software Company” (most likely a shell company).

Do the victims want to sue Apple for providing inadequate services?

But we have to be careful when downloading software from the app store.

If I were in the shoes of the affected users, I would stop using the App Store altogether (at least on a smartphone that deals with finances).

Always need to browse the original website and download from there.

And check the GPG signature of downloaded programs. It seems this should become a "hygienic" practice and procedure when interacting with cryptocurrencies.

I don't know if it's possible to check the GPG signature (or something similar) of apps on mobile devices?

[Charles-Tim]

@ The Cryptovator
There is already an existing thread about it, but it is on beginners and help board which might later be moved: Bogus crypto wallet on App Store steals $9.5M

Wallet users need to be very careful, they are still falling for fake apps and phishing messages that will give them a website that they can put their seed phrase which is leading to the stealing of the coins.

[Cookdata]

We have to take lessons from these mistakes – how people have been losing funds through fake wallet software.

The fake firmware app was the genesis of the problem but can we talk about usability? Why would anyone with a hardware wallet that protect key within the device suddenly import the seed phrase to a software wallet? This shows many people are just using hardware wallet as instructed, they don't understand the purpose.

According to the musician, he stated that he imported his seed phrase from the hardware wallet which possibly it's what other victims did and Bitcoin and other coins were swept immediately.

The fake wallet software has been uploaded through a “bait-and-switch strategy". The scammer is “SAS Software Company"; I'm not sure if it's possible to take legal action against them.

This software company might not even exist, and I'm not sure if Apple go around looking at the legitimacy of a company before they make an approval of an app to the public, I doubt if they go through the apps and review the usage to know if there is hidden bait that may affect the public.

Apple is protected by terms and conditions, they know very well this kind of situations will likely arise in the future that's why they have terms and conditions in place that users must accept before they use their products to avoid lawsuits.

But we have to be careful when downloading software from the app store. Always need to browse the original website and download from there.

Only if everyone would start to verify the software on Github instead of the website. The least a hardware companies can do is, they need to add link to download signature to verify the software.

If you visit Ledger website to download ledgerlive software, it download file based on the OS without any tip to verify the app, even on mobile, it redirect you to app store or Google play store.
They are not worried probably because they know keys are safe in hardware wallet but usability makes people do dumb mistakes just like these victims.

[Woodie]

It's unfortunate these companies have to be reactive to situations like this and not being proactive ...because with some research they should be able to verify who claims to be who they are as they have the capacity!

All in all, better late than never & great to read about this being put to a stop!

[Accardo]

This news has so much to do with the Mac Apple store where ledger has no app launched, these victims tried to download ledger live on Mac app store, instead of the official ledger website. Ledger live is available on iOS apple store but failed to exist on the Mac Apple store, where malicious developers seized the empty slot to scam inexperienced users of their funds, had they made a little research they wouldn't fall victim, the seller in Mac Apple store had the name 'Lema Heal Limited' not 'Ledger SAS'. The other problem here is Kucoin, the whole funds was laundered through their exchange and they claim to have no right about refunding the users or freeze the subscious accounts that received the stolen money.

[Pmalek]

Google and Apple don't really care about the apps that find a way on their platform. Apple is a bit more cautious, but in the end it's all about earning the commission fee for listing the software. That's what is most important for them.

If you visit Ledger website to download ledgerlive software, it download file based on the OS without any tip to verify the app, even on mobile, it redirect you to app store or Google play store.

It's possible to verify Ledger Live signatures. Actually, the software has been rebranded to Ledger Wallet now.
I wrote a thread on that subject a few years ago: How To Verify the Downloaded Version of Ledger Live. I think the process is still the same and hasn't changed.
They have a dedicated page for signature verification on their website.

[Yamane_Keto]

Increasing wallet security will not be useful if hardware user is willing to download an application without verifying its source or checking the number of downloads, as such behavior will still be a cause of any unauthorized access. it reminds me of what the son of a Federal Contractor did US Probes $40M Crypto Heist By Federal Contractor's Son

[m2017]

Some news has emerged about this incident.

"The company used a so-called bait-and-switch strategy: first, the app would be approved as legitimate, and then its description and screenshots would be changed to imitate the real Ledger Live."

That is, in the App Store there was (moreover, it has existed for quite a long time, but more on that below) the possibility of cheating the system.

"After installation, the app asked users to enter a seed phrase - a set of 12 or 24 words that grants full access to the crypto wallet. Having obtained this information, the scammers withdrew all funds."

And this is how users made a typical mistake. Why buy a hardware wallet if you enter the seed phrase separately in the app? It seems those 50 users were completely unaware of the basic operating principles of hardware wallets.

I admit that at least 50% of the responsibility for the loss of these funds lies with the users themselves. If they fail to adhere to the basic principle of cryptocurrency: "not your key, not your money", then no amount of app store moderation will save them.

"Apple has acknowledged that such schemes are not uncommon. In 2024 alone, the company removed or rejected more than 17,000 apps for using bait-and-switch tactics."

Apple can't figure out how to get rid of this tactic? (It's been fighting this since 2013 )

"At the end of 2023, a similar scheme worked in the Microsoft Store: the fake Ledger Live bypassed Microsoft's moderation, and users lost approximately $600,000."

If you remember, there was another similar incident in the past.

This led me to believe that such incidents are another reason to use third-party apps, like Electrum. That is, hardware wallet + Electrum (or another app). Although this is unlikely to protect those who enter the seed phrase outside of a HW device.

[Pmalek]

Some news has emerged about this incident.

"The company used a so-called bait-and-switch strategy: first, the app would be approved as legitimate, and then its description and screenshots would be changed to imitate the real Ledger Live."

That is, in the App Store there was (moreover, it has existed for quite a long time, but more on that below) the possibility of cheating the system.

It's still not clear to me how this bait-and-switch strategy works. Are the scammers initially pretending that they have developed and uploaded to the app store a completely different type of software? For example, a weather app. Once approved, they then do the description and screenshot switch to make the software seem like Ledger Wallet?

If that is possible, Apple must start moderating and checking for changes whenever app descriptions change. That might be a controversial decision and one that requires a lot of extra work, but it's also not a good look for them if app owners can change and literally write anything they want in the description of their apps once Apple initially approves them.

[Accardo]

It's still not clear to me how this bait-and-switch strategy works. Are the scammers initially pretending that they have developed and uploaded to the app store a completely different type of software? For example, a weather app. Once approved, they then do the description and screenshot switch to make the software seem like Ledger Wallet?

If that is possible, Apple must start moderating and checking for changes whenever app descriptions change. That might be a controversial decision and one that requires a lot of extra work, but it's also not a good look for them if app owners can change and literally write anything they want in the description of their apps once Apple initially approves them.

You may want to go through the Op's thread about your question https://bitcointalk.org/index.php?topic=5580332.0, regarding the post approval updates, apple's automated checks hardly finds out immediately, it could take weeks before Apple would find out and ban the account or remove the app. These culprits also seem to have a fake Ledger hardware device circulating in the marketplace, this reddit post caught up with them and they're been exposed for luring buyers into downloading their fake Apps on Mac, iOS, and google. The whole agenda or problem stems from not downloading Ledger from their official site, because these fake ledger hardware wallet don't pass the 'Genuine Checks' of the official software.