Crypto Analyst ZachXBT: Fake Ledger Live App on App Store Stole $9.5 Million and Laundered via Centralized Mixing Network
Crypto investigator ZachXBT revealed that a counterfeit Ledger Live app previously listed on the Apple App Store caused approximately 50 users to lose a total of $9.5 million within a week, involving Bitcoin, EVM chain assets, TRON, Solana, and XRP. The app stole users' recovery phrases through phishing authorization and transferred funds to over 150 KuCoin deposit addresses, which were then funneled to a centralized mixing service named AudiA6 for laundering, disguised by high fees for cross-chain layered transfers. Apple subsequently removed the app, but most of the funds had already been transferred multiple times.
Blockchain forensics teams noted that the AudiA6 mixing system features automated multi-chain hops and time delay mechanisms, making tracking extremely difficult. Some English-speaking security communities are calling for Apple to establish an "independent review mechanism for wallet-type applications" and suggest that Ledger strengthen official verification channels to reduce the risk of user impersonation.
Source: Public Information
ABAB AI Insight
该事件揭示了移动生态中的“中心化信任盲区”:当用户在封闭平台信任苹果的审核机制,却在链上参与去中心化交易时,信任层出现断裂。App Store的审查机制原本防止恶意内容,却无法识别具备链上欺诈逻辑的程序,从而在“中心化入口—去中心化资产”之间形成安全真空。
从结构上看,这是加密时代传统平台责任边界的模糊化。苹果充当分发方却不承担金融风险,Ledger承担品牌信任但缺乏应用端控制,最终责任被分散到没人能追责的链条中。这是“信任碎片化”的极端表现。
长期来看,这类事件将推动两个趋势:一是主流应用生态需增加链上安全验证机制,二是法币世界与加密世界的监管接口需重绘。虚假应用攻击的不仅是用户钱包,而是跨系统信任架构的最薄弱环节——身份验证与分发权的统一缺失,使传统平台成为新金融犯罪的入口层。