好的,我现在需要帮用户总结一篇关于恶意Ledger Live应用的文章,控制在100字以内。首先,我得通读整篇文章,抓住关键信息。 文章提到一个恶意的Ledger Live应用在Mac App Store上出现,导致50名用户损失了约950万美元的加密货币。攻击者通过让用户输入种子短语获取钱包访问权限,然后转移到多个区块链上,并通过KuCoin洗钱。 接下来,我需要提取主要点:恶意应用、App Store、50名受害者、950万美元损失、通过种子短语窃取资金、涉及多个区块链、洗钱过程以及苹果和KuCoin的应对措施。 然后,我要把这些信息浓缩成100字以内的总结,确保涵盖所有关键点。要注意不要使用“文章内容总结”这样的开头,直接描述事件。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> 恶意Ledger Live应用在Mac App Store上欺骗用户输入种子短语,导致50名受害者损失约950万美元加密货币。攻击者利用多个钱包地址转移资金,并通过KuCoin洗钱。苹果已下架该应用,KuCoin冻结相关账户。 2026-4-14 16:46:33 Author: www.bleepingcomputer.com(查看原文) 阅读量:7 收藏
A malicious Ledger Live app for macOS available from Apple’s App Store has drained approximately $9.5 million in cryptocurrency from 50 victims in just a few days this month.
Users who downloaded the fake Ledger app were tricked into entering their seed/recovery phrases, thus giving attackers full access to their wallets and allowing them to send digital assets to external addresses under their control.
According to blockchain investigator ZachXBT, the attackers used several wallet addresses to receive funds across multiple chains, including Bitcoin, Ethereum, Tron, Solana, and Ripple.
The stolen amounts were then laundered through more than 150 deposit addresses on KuCoin, linked to a centralized mixing service called “AudiA6,” which launders crypto in exchange for high fees.
Source: ZachXBT
The investigator tracked three individual victims losing seven-figure amounts ($3.23 million, $2.08 million, and $1.95 million) between April 8 and April 11.
Musician G. Love stated on X that he also lost 5.9 BTC (currently $430k) after downloading the app. This loss was also traced and confirmed by ZachXBT.
According to a Reddit discussion, the fake app was submitted to the Apple App Store under the publisher name ‘Leva Heal Limited,’ an account not associated with the real Ledger development team.
The malicious actor also created a fake version history by releasing major new versions every few days, going from 1.0 to 5.0 within just two weeks.
Source: Reddit
Following multiple user reports, Apple has now removed the fake app from the App Store, but not before 50 users lost a total of $9.5 million.
BleepingComputer has reached out to Apple for a comment, but we have not received a response yet.
Meanwhile, KuCoin, which has been accused of violating anti-money laundering laws in the past and was even ordered to pay $300 million in penalties in the U.S. last year, announced that it has frozen the accounts involved in the latest scheme.
However, the platform noted that the freeze will only last until April 20. Beyond that date, the freeze can be extended via an official request from law enforcement authorities.
It is important to note that Ledger offers a Mac app on its website, but not in the Apple App Store, where only an iOS-compatible version is available.
Threat actors have attempted to exploit this availability gap again in the past, even targeting the Microsoft Store in 2023, stealing $768,000 worth of cryptocurrency.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
如有侵权请联系:admin#unsafe.sh