Apple Removes Fake Crypto Wallet App That Stole $9.5 Million From Mac Users

[MacRumors]

A fake Mac app designed to look like the real thing snuck past Apple's app review team, costing users $9.5 million in cryptocurrency.

According to CoinDesk, a fake macOS version of the Ledger Live crypto wallet app scammed people into handing over access to their cryptocurrency wallets. More than 50 people fell victim to the fake app between April 7 and April 13.

Ledger has an official Mac app, but it is distributed via the Ledger website and not through the Mac App Store. The real app does not ask users to enter their seed phrases like the fake app did, nor do other legitimate cryptocurrency apps. The stolen money was routed through the KuCoin crypto exchange, and hackers used a mixing service known as AudiA6, which charges high fees to launder cryptocurrency.

Three of the victims lost seven-figure sums, which is an unusually high amount of money to lose in a fake app scam. ZachXBT, who investigated the scam and shared the info on Telegram, suggested Apple could be subject to a class-action lawsuit in the future due to the amount of money lost.

Apple removed the fake Ledger Live app from the Mac App Store, but it was live for approximately two weeks. It is not known how it passed Apple's app review process, and Apple hasn't commented.

Article Link: Apple Removes Fake Crypto Wallet App That Stole $9.5 Million From Mac Users

 

[FreakinEurekan]

Yeah I'd seen this article about one of the victims earlier today. Not good!

 

[DocMultimedia]

I'd be a bit more careful with my crypto currency credentials than these folks were. Luckily I don't own any of it to begin with.

 

[ScanPro]

Unfortunately, this is sure to be a problem in the future, too many really smart people, far too little oversight. I am not blaming anyone or any company. It just looks like the Genie has been out of the bottle for years now.

 

[mgmacius]

Why is that nobody is responsible for their own actions anymore? If app asks for stuff it’s not supposed to, you should stop not plow ahead

 

[jarman92]

Would love to know how many hundreds/thousands of reports Apple ignored in those 2 weeks before finally talking action (after being contacted by Ledger's attorneys, no doubt).

 

[HouseLannister]

Did Apple take 30%? 🤣

 

[jarman92]

Why is that nobody is responsible for their own actions anymore? If app asks for stuff it’s not supposed to, you should stop not plow ahead

Because Apple swears up and down that the App Store is safe and their arbitrary and capricious review process is absolutely necessary to protect against exactly this scenario.

 

[RHutch]

And this is why we have the App Store. Because only Apple can keep us safe.

Oh, wait.

 

[contacos]

Something not quite similar happened to me today and I never thought I was that kind of a person. My work laptop doesn't have an ad blocker and I thought I was opening the official Claude website from the first search result on Google and logged in with Google and was like wow an 70% deal for Pro and bought it, not realizing I wasn't actually subscribing to Claude 😭🫣 never would have happened to me on my private laptop WITH AN AD BLOCKER. Thankfully it was "only" 60 bucks.

 

[WarmWinterHat]

Why is that nobody is responsible for their own actions anymore? If app asks for stuff it’s not supposed to, you should stop not plow ahead

Apple pretty clearly says that they handle all that:

The App Store is a trusted place where users can safely discover and download apps. On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification. Every single app and each app update is reviewed to evaluate whether it meets requirements for privacy, security, and safety. This process, which is being constantly improved, is designed to protect users by keeping malware, cybercriminals, and scammers out of the App Store.

About App Store security

On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification.

support.apple.com

 

[lostczech]

Apple's arguments against 3rd party app stores is going up in smoke

 

[sw1tcher]

Three of the victims lost seven-figure sums, which is an unusually high amount of money to lose in a fake app scam. ZachXBT, who investigated the scam and shared the info on Telegram, suggested Apple could be subject to a class-action lawsuit in the future due to the amount of money lost.

They should be. Apple claims they review all apps for safety, security, and privacy. The fault of allowing yet another scam crypto app onto the Apple App Store lies with Apple.

 

[subjonas]

Apple's arguments against 3rd party app stores is going up in smoke

While this isn't a good look, only large data sets, not isolated examples, can prove or disprove overall safety. Apple never claimed 100% safety, because no one can.

 

[ScanPro]

Apple's arguments against 3rd party app stores is going up in smoke

Yeah, It will be interesting to see how Apple spins this.

 

[ScanPro]

Another thought, Wonder what the EU watchdogs think about this?

 

[WarmWinterHat]

Yeah, It will be interesting to see how Apple spins this.

By not addressing it at all.

 

[Populus]

I'd be a bit more careful with my crypto currency credentials than these folks were. Luckily I don't own any of it to begin with.

Downloading and trusting an app downloaded from the Mac App Store itself is, in my opinion, being careful. This is Apple’s fault.

I’m one of those that prefers to get my apps from the Mac App Store because of the mandatory sandboxing and the app reviewing process. But episodes like this hurt Apple’s reputation.

 

[jimthing]

Macbreak Weekly right now talking about it.

 

[DEMinSoCAL]

They should be. Apple claims they review all apps for safety, security, and privacy. The fault of allowing yet another scam crypto app onto the Apple App Store lies with Apple.

And then Apple can turn around and sue the "victims" for being dumb enough to enter their key phrases. If Apple was negligent then so were the victims for not knowing what they were doing.

 

[btrach144]

So if you were these users, would you sue apple?

 

[sw1tcher]

While this isn't a good look, only large data sets, not isolated examples, can prove or disprove overall safety. Apple never claimed 100% safety, because no one can.

Apple doesn't explicitly say their App Store is 100% safe, but they do make the claim implicitly.

About App Store security

On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification.

support.apple.com

The App Store is a trusted place where users can safely discover and download apps. On the App Store, apps come from identified developers who have agreed to follow Apple guidelines, and are securely distributed to users with cryptographic guarantees against modification. Every single app and each app update is reviewed to evaluate whether it meets requirements for privacy, security, and safety. This process, which is being constantly improved, is designed to protect users by keeping malware, cybercriminals, and scammers out of the App Store.


How else are we to take it when Apple says "every single app" is "reviewed to evalucate" the apps "privacy, security, and safety," making the App Store "a trusted place."?

 

[Timpetus]

The care with which you handle your money, and the degree to which you self-custody, should always go up as you have more of it. Never share your keys or your seed phrase with anyone. Use cold storage wallets for any crypto you don't need to use in the near future. Spread it around so if one is compromised you won't lose everything. There are plenty of tools available to keep you safe, please use them.

Just because something came from Apple's app store doesn't mean it's safe - it's impossible for anyone to guarantee that. Treat every app, regardless of source, as suspect until proven safe to your own satisfaction.

 

[AppleMad98004]

I thought the whole point Apple makes for the App Store vs allowing all sorts of third party marketplaces is safety etc. This kind of blows that argument.

 

[DEMinSoCAL]

So if you were these users, would you sue apple?

I'd probably try, but legally, do the App Store terms guarantee all apps are legit and safe? No. In this case, what are proper review steps? Should Apple shove Crypto into every app, let it sit and see if they lose it?