How Musician Lost 5.92 BTC on Fake Ledger App

The fake Ledger app had the same branding and same interface as the real one, with even some seasoned crypto users unable to tell them apart.

Crypto commentator Scott Melker has said that a friend of his lost nearly $450,000 worth of Bitcoin after using a fake Ledger app from the Apple App Store.

According to him, musician Garrett Dutton, also known as G. Love, lost 5.92 BTC that he had been acquiring since 2017 as part of a long-term safety net.

G. Love Loses Nearly 6 BTC in a Scam App

Melker posted about the incident on social media, saying that the theft happened after Dutton unknowingly downloaded a fake wallet app, given that it was hard to tell it apart from the real thing because it had the same branding and the same familiar interface. Even Melker himself couldn’t tell the difference between the two after looking at them.

“For lack of a better word, this is f***ed up,” he wrote. “If you can’t confidently identify the official app inside a place that’s supposed to be curated and trusted, something is fundamentally broken.”

Dutton was prompted to enter his 24-word seed phrase once he’d installed the app, which then, according to Melker, captured it and allowed the criminals behind the scheme to recreate the wallet and steal the musician’s BTC.

However, on-chain investigator ZachXBT traced the stolen cryptocurrency, saying it had been laundered through KuCoin and deposited across nine different addresses.

The exchange then flagged the transactions, tasking its AML team to track the funds and temporarily freezing the accounts ZachXBT had identified for seven days.

Lessons Learnt From the Loss

Melker described the incident as being devastating but an important example that other people could learn from.

You may also like:

He explained that the first issue was downloading the app without verifying it through official sources, noting that people should make a habit of confirming crypto-related apps on company websites or verified channels.

Another important thing he emphasizes is seed phrases. In his opinion, a recovery phrase should only ever be entered directly into a hardware device or stored offline. This is because putting it on a phone, computer, app, or website creates the risk of someone else gaining access in case the environment is compromised.

Additionally, users should assume full responsibility at all times when using a self-custody wallet. This is because access is not protected by recovery systems under these circumstances.

Melker finished by saying that hardware wallets are mostly thought to be safe, but the environment in which they get used could make them less safe.

“If there’s anything to take from this, it’s to slow down and verify everything,” he said. “Treat every interaction with your keys like it’s irreversible – because it is.”

This isn’t the first time criminals have tried stealing crypto from Ledger users. Earlier in the year, a data breach at one of the wallet maker’s e-commerce partners, Global-e, exposed the information of customers, which attackers used to send phishing emails claiming a merger between Ledger and Trezor.