He searched "Ledger Live" on the Apple App Store. By dinner, his Bitcoin was gone.

by Freddy Hernandez

A man slumped at his desk in a dimly lit room, holding his head in one hand and a smartphone with a red warning glow in the other, with a laptop and small hardware wallet device on the wood desk in front of him

Ten years of work. 5.92 BTC. Around $424,000. All of it drained in the time it takes to type 24 words.

That's what happened to Garrett Dutton, the Philadelphia musician known as G. Love of G. Love & Special Sauce. On April 11, 2026, he was setting up his Ledger on a new MacBook. He went to the place anyone would go for a piece of trusted software in 2026: the Apple Mac App Store. He searched "Ledger Live." He downloaded the app that looked right. He followed the prompts. When the app asked for his 24-word seed phrase, he typed it in.

His Bitcoin was drained almost instantly.

If you've been in crypto for any length of time, you already know the rule. Never type your seed phrase into a screen. Not on a laptop, not on a phone, not on any keyboard you trust. Ever. The whole point of a hardware wallet is that the seed phrase never touches a connected device. Dutton knew this. He said so himself. "I been in the crypto circus since 2017. Today they caught me off guard."

The trap was the app store itself

Here's the part that should make every self-custody holder uncomfortable. This wasn't a sketchy link in a Telegram DM. It wasn't a fake email pretending to be Coinbase support. It wasn't a malicious Chrome extension. It was the official Mac App Store. The same place you trust to deliver your bank's app, your password manager, your tax software. Apple's review process let a fake Ledger Live app through, and a guy with a decade of crypto experience trusted it because of where he found it.

ZachXBT picked up the trail within hours. He traced the stolen 5.92 BTC across nine transactions into deposit addresses linked to KuCoin. The hashes are public. Anyone can verify them on a Bitcoin block explorer. ZachXBT also said Apple appears to be blocking urlscan.io from analyzing the fraudulent listing, which is its own kind of red flag. As of today, Apple has said nothing publicly about the theft, the fake app, or the blocking allegation.

This is not a one-off. In 2023, almost $600,000 in Bitcoin was stolen the exact same way through a fake Ledger Live app that slipped past Microsoft's app store review. Different platform, same playbook. The FBI reported Americans lost over $11 billion to crypto fraud in 2025 alone, and seed-phrase phishing through impersonated wallet software is one of the highest-yielding categories.

Why the hardware wallet didn't save him

A lot of people on X questioned the story at first. They pointed out that Ledger devices require physical button presses to confirm transactions. How could the funds move without Dutton touching his Ledger?

The answer is the most uncomfortable part of this whole situation. He typed the seed phrase voluntarily. Once 24 words leave the hardware wallet's secure enclave and land on a connected computer, the hardware wallet is no longer in the picture. The attacker doesn't need to bypass the Ledger. They have everything they need to recreate the wallet on their own machine and drain it. The hardware wallet's security model assumes the seed phrase is never typed. The moment it gets typed, the protection is gone.

This is why every legitimate wallet manufacturer, Ledger included, says the same thing over and over: their software will never ask you to enter your seed phrase into a screen. Real Ledger Live never asks. Real Trezor Suite never asks. Real Trust Wallet never asks. If a piece of software asks for your 24 words, that request is the attack. Close it. Walk away. Don't even reopen it.

If you want a deeper read on why the recovery phrase is the single most important thing in your entire crypto setup and why thieves will go to absurd lengths to get it, our 12-word recovery phrase guide breaks down the math, the risk, and the recovery scenarios in plain English.

What this story is actually about

It's not really about Apple, even though Apple deserves the heat. It's not about Ledger, who has said for years that they do not distribute Ledger Live through any consumer app store and anyone who claims otherwise is fraudulent. It's not even about Dutton, who handled the loss with more grace than most people would.

It's about how thin the line is between secure self-custody and total loss. The line is one screen prompt. One moment of trust in the wrong logo. One trained instinct to follow the install wizard.

The hardware wallet didn't fail. It can't fail in this scenario, because the protection lives in the device itself. What failed is the layer of security between the human and the keyboard. The moment the seed phrase becomes typeable, every protection downstream is irrelevant.

The rules nobody wants to hear because they sound boring

These are the rules that would have saved Dutton's retirement. They will save yours too if you're disciplined enough to follow them.

Never type your seed phrase into anything that has electricity running through it. Not a phone, not a laptop, not a "secure" web form, not your hardware wallet's setup app on your computer. Your hardware wallet's screen is the only screen that should ever see those words.

If a wallet app asks you to type your seed phrase into your computer, close it. Real Ledger Live, Trezor Suite, MetaMask, Phantom, and every other legitimate wallet manager will never ask. The request is the attack.

Download wallet software from the manufacturer's own website. Type the URL yourself. Don't search for it on Google. Don't search for it in app stores. Search results lie. App store listings lie too, apparently. Bookmark ledger.com directly, type it in by hand, and only ever update from there.

Write your seed phrase down once, on something built to outlast accidents, and store it somewhere physical that you control. Then never touch a keyboard with it again. For a deeper guide on doing this right, including what to do if you have multiple wallets to back up, our seed phrase storage guide covers the whole spectrum from sticky notes to multisig setups.

That last rule is the part Shieldfolio exists for. The Stonebook is built to be the place your seed phrase lives, on stone paper that survives spills, tears, drops, and time, with pre-printed fields for 50+ wallet backups. Pair it with a fire-rated safe and you have a setup where the seed phrase only lives in two places: the device that needs it for a transaction, and the page you wrote it on. Nowhere else. Nowhere a fake app can reach it.

If your seed phrase currently lives on a sticky note, a screenshot, a password manager, a Google Doc, or anywhere a keyboard could reach it, today is the day to fix that.

The part that hurts the most

Dutton said the 5.9 BTC was "all I had for ten years I worked on this." He's not a crypto whale. He's a working musician who put part of every paycheck into something he believed in, watched it grow, and was planning to retire on it. He did the hard part. He held through every cycle. He bought a hardware wallet because he understood the risks. He did everything right except that one final step, and one final step was enough.

Be careful out there. Read the URL twice. Buy your wallet software from the company that makes it. And if a screen ever asks for your 24 words, walk away.

FAQ

How did the attacker get a fake Ledger Live app onto Apple's official Mac App Store?

Apple has not commented publicly. The fake app passed Apple's review process and appeared as a legitimate-looking listing in search results. ZachXBT also reported that Apple appears to be blocking urlscan.io from analyzing the fraudulent listing, which makes independent investigation harder. Whether the review failure was a one-time slip or a pattern is still unclear.

Can the stolen Bitcoin be recovered?

Almost certainly not. ZachXBT traced the funds across nine transactions to deposit addresses linked to KuCoin and said he did not expect the exchange to intervene voluntarily. Recovery would require coordinated law enforcement action, and even then, exchanges in jurisdictions with weak enforcement rarely return stolen funds without a court order. Once a seed phrase is compromised, every wallet derived from it is permanently exposed.

If I have a hardware wallet, am I safe from this kind of attack?

Only if you never type your seed phrase into a connected device. The hardware wallet protects you against remote attackers who try to move funds without physical access. It cannot protect you if you voluntarily hand over the seed phrase to a fake app, a phishing email, or a social engineer pretending to be customer support. The hardware wallet's security model ends the second the 24 words become typeable.

Where should I actually download Ledger Live?

Only from ledger.com, typed directly into your browser. Ledger has stated repeatedly that they do not distribute Ledger Live through any consumer app store. Anything you find in the Apple App Store, Google Play, Microsoft Store, or any other third-party marketplace claiming to be Ledger Live should be treated as fraudulent.

What's the safest way to back up my seed phrase if I can't store it digitally?

Write it on something durable, in a single place you physically control, and never type it into anything connected to the internet. The Stonebook is built specifically for this, on waterproof and tear-resistant stone paper, with pre-printed fields for 50+ wallet backups. Store it in a fire-rated safe for protection against environmental damage. Don’t fall back to screenshots, password managers, cloud documents, or email drafts as your only backup. Anything with a keyboard touching it is a future leak waiting to happen.

I've already typed my seed phrase into a computer at some point. Am I compromised?

Possibly. The safest assumption is yes. If your seed phrase has ever been typed into a connected device, used in a clipboard, screenshotted, or saved in any digital form, you should generate a new wallet on your hardware device, transfer your funds to the new wallet, and treat the old seed phrase as burned. It is faster and cheaper to do this preemptively than to lose everything.

Sources

Tags: Apple app store, bitcoin, crypto security, Hardware wallet, ledger, phishing, Scam alert, Seed phrase, seed phrase storage, self-custody

Previous PostNext Post

Stonebook ™ Notebook for bitcoin and cryptocurrency private keys and passwords on a white background
Stonebook ™ Notebook recording private keys and seed phrases for cryptocurrency accounts
Typing a passphrase from the Stonebook ™ Notebook into a computer to unlock a crypto wallet
Stonebook and Coldcard recovery phrase
A picture of the Stonebook ™ Notebook having water poured on it, demonstrating it's water resistant pages
A picture showing that Stonebook ™ Notebook is resistant to tearing to help protect your passwords, passphrases and other sensitive information
Stonebook is offline and portable to protect your digital assets
Stonebook ™ Notebook page used to record a cryptocurrency recovery phrase or seed phrase with a place for notes at the bottom on white background
Stonebook ™ Notebook a page to record login information for cryptocurrency with a place for notes on the bottom on a white background
Stonebook ™ Notebook page to record your private key from a hardware wallet with a notes section at the bottom on a white background
A page from the Stonebook ™ Notebook to encrypt your private key with shieldcrypt using a password description key to keep your information private
A lined page from the Stonebook ™ Notebook where you and write any additional information about your cryptocurrency
A Stonebook ™ Notebook lying on a white background at an angle
Stonebook ™ Notebook for bitcoin and cryptocurrency private keys and passwords on a white background
Stonebook ™ Notebook recording private keys and seed phrases for cryptocurrency accounts
Typing a passphrase from the Stonebook ™ Notebook into a computer to unlock a crypto wallet
Stonebook and Coldcard recovery phrase
A picture of the Stonebook ™ Notebook having water poured on it, demonstrating it's water resistant pages
A picture showing that Stonebook ™ Notebook is resistant to tearing to help protect your passwords, passphrases and other sensitive information
Stonebook is offline and portable to protect your digital assets
Stonebook ™ Notebook page used to record a cryptocurrency recovery phrase or seed phrase with a place for notes at the bottom on white background
Stonebook ™ Notebook a page to record login information for cryptocurrency with a place for notes on the bottom on a white background
Stonebook ™ Notebook page to record your private key from a hardware wallet with a notes section at the bottom on a white background
A page from the Stonebook ™ Notebook to encrypt your private key with shieldcrypt using a password description key to keep your information private
A lined page from the Stonebook ™ Notebook where you and write any additional information about your cryptocurrency
A Stonebook ™ Notebook lying on a white background at an angle

Shieldfolio

Stonebook® Crypto Seed Phrase Notebook

€34,95 EUR