A malicious Ledger Reside app for macOS to be had from Apple’s App Retailer has tired roughly $9.5 million in cryptocurrency from 50 sufferers in only some days this month.
Customers who downloaded the faux Ledger app had been tricked into coming into their seed/restoration words, thus giving attackers complete get admission to to their wallets and letting them ship virtual property to exterior addresses beneath their keep watch over.
In keeping with blockchain investigator ZachXBT, the attackers used a number of pockets addresses to obtain budget throughout more than one chains, together with Bitcoin, Ethereum, Tron, Solana, and Ripple.
The stolen quantities had been then laundered via greater than 150 deposit addresses on KuCoin, connected to a centralized blending provider referred to as “AudiA6,” which launders crypto in trade for top charges.
Supply: ZachXBT
The investigator tracked 3 person sufferers shedding seven-figure quantities ($3.23 million, $2.08 million, and $1.95 million) between April 8 and April 11.
Musician G. Love mentioned on X that he additionally misplaced 5.9 BTC (lately $430k) after downloading the app. This loss was once additionally traced and showed by way of ZachXBT.
In keeping with a Reddit dialogue, the faux app was once submitted to the Apple App Retailer beneath the writer identify ‘Leva Heal Restricted,’ an account now not related to the actual Ledger building crew.
The malicious actor additionally created a pretend model historical past by way of freeing primary new variations each and every few days, going from 1.0 to five.0 inside simply two weeks.
Supply: Reddit
Following more than one consumer reviews, Apple has now got rid of the faux app from the App Retailer, however now not prior to 50 customers misplaced a complete of $9.5 million.
BleepingComputer has reached out to Apple for a remark, however we’ve got now not won a reaction but.
In the meantime, KuCoin, which has been accused of violating anti-money laundering regulations prior to now and was once even ordered to pay $300 million in consequences within the U.S. ultimate yr, introduced that it has frozen the accounts all for the newest scheme.
On the other hand, the platform famous that the freeze will simplest ultimate till April 20. Past that date, the freeze will also be prolonged by way of an legit request from legislation enforcement government.
It is very important word that Ledger gives a Mac app on its web site, however now not within the Apple App Retailer, the place simplest an iOS-compatible model is to be had.
Risk actors have tried to take advantage of this availability hole once more prior to now, even concentrated on the Microsoft Retailer in 2023, stealing $768,000 value of cryptocurrency.
Automatic pentesting proves the trail exists. BAS proves whether or not your controls forestall it. Maximum groups run one with out the opposite.
This whitepaper maps six validation surfaces, presentations the place protection ends, and offers practitioners with 3 diagnostic questions for any device analysis.
