- A counterfeit Ledger app, the third in a year, has infiltrated the Microsoft App Store, leading to over $750,000 in crypto being stolen
- The scam deceived users into thinking they were getting the real Ledger Live interface and siphoned funds from their wallets
- Scammers acquired around 16.8 BTC ($588,000) and nearly $200,000 in other cryptocurrencies before the app was removed
Another fake Ledger app has seen over $750,000 stolen from victims, the third such occasion in a year. This incarnation of the counterfeit Ledger Live app appeared on the Microsoft App Store as “Ledger Live Web3,” understandably deceiving users into believing they were downloading the genuine Ledger Live interface. The scammers have managed to amass approximately 16.8 BTC ($588,000) as well as almost $200,000 in other coins, although the app has since been taken offline.
Over Half a Million in Bitcoin Stolen
The fraudulent activity was publicized by blockchain detective Zach XBT, who warned the community of the fake app on Sunday:
Community Alert: There is currently a fake @Ledger Live app on the official @Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen
Scammer address
bc1qg05gw43elzqxqnll8vs8x47ukkhudwyncxy64q pic.twitter.com/rOZ0ZWRWbn— ZachXBT (@zachxbt) November 5, 2023
Like the legitimate Ledger Live app, the fake will have connected a user’s Ledger device to the internet via the software, which is used to manage assets and add/remove wallets. Once connected and the password entered, the hackers would have been able to send themselves coins from the wallets.
The app was added to the Microsoft App Store in late October; the first theft was a $5,000 Bitcoin transaction on October 24, followed by subsequent transactions starting from November 2. The largest single theft was of 2.1 BTC taken on November 4, worth over $75,000. In addition, an extra $180,000 was stolen from coins on the Ethereum and BNB Smart Chain (BSC) blockchains, resulting in a total theft of around $767,000.
Clues Should Have Revealed the Truth
Microsoft removed the app on Sunday shortly after it had been reported, but looking at the screenshots there were telltale signs that it was not a malicious app; the developer of the app was named ‘Official Dev’ rather than ‘Ledger’ or something similar, and the app only had one review. Given that Ledger is a massively popular crypto wallet maker, there would have been more than one review. It’s also worth noting that Ledger doesn’t even have a Microsoft App Store product.
It’s best practice when downloading a wallet app to follow links from the official website or social media account rather than finding them through an app store.