A fake Ledger Live app on Apple’s Mac App Store has turned a routine wallet setup into a sharp reminder that crypto losses often begin at the software-distribution layer, not on the blockchain itself. Garrett Dutton, the musician known as G. Love, said he lost about 5.9 BTC, worth roughly $420,000, after installing a malicious Ledger impostor and entering his recovery phrase, giving the attacker full control of the wallet within minutes.
The theft drew added scrutiny because the stolen Bitcoin was traced to deposit addresses linked to KuCoin, placing the episode back into the larger debate over how quickly centralized exchanges identify, flag and freeze suspect inflows. Once stolen coins reach exchange rails, the problem is no longer only self-custody failure but compliance response time. That focus lands awkwardly for KuCoin EU, which Austria’s Financial Market Authority barred in February from taking on new business because of deficiencies in key AML and sanctions-control functions.
A fake wallet app became a full-wallet compromise
What made the attack so effective was its simplicity. Dutton said he downloaded what appeared to be Ledger Live onto a new Mac and then entered his seed phrase, after which the Bitcoin was drained almost instantly. The exploit did not depend on a sophisticated chain-level bug; it depended on persuading a user to hand over the only credential that truly matters in self-custody. ZachXBT traced the stolen funds across nine transactions into addresses associated with KuCoin.
That is exactly the failure mode Ledger has been warning about for years. On its phishing-status page, the company says users should never type their 24-word recovery phrase into a computer and should only download Ledger Live directly from Ledger’s own site. The rule is absolute because anyone with the seed phrase has the wallet, regardless of how trustworthy the interface first appears.
Hi I traced out your 5.92 BTC stolen and it was all laundered via @kucoincom deposit addresses in the following transactions:
6f5c8eb6b01774626f33527e0cb03c0d1860447acacd6079e69bf41b459bcf1f
9ee1288f941b2c3775ebd125eefeebdc713aa160bf2cf9d18661fd07f84ce891…— ZachXBT (@zachxbt) April 12, 2026
Exchange deposit routes are now part of the risk story
The routing of funds into exchange deposit addresses matters because it changes the attack from a private loss into a broader market and compliance issue. Fast consolidation into centralized venues can shorten the window for recovery while increasing the chances of rapid swapping, layering or sale. That is why incidents like this tend to renew pressure on exchanges to apply consistent screening, faster wallet blacklisting and more visible cooperation when traced proceeds arrive on their platforms.
The deeper lesson is that retail on-ramps and software marketplaces remain one of crypto’s weakest security surfaces. Apple’s store review process may reduce ordinary malware risk, but this episode shows that a convincing wallet impersonator can still do more damage than many smart-contract exploits because it captures the user’s entire trust model in one step.