Key Highlights
- Philadelphia musician Garrett “G. Love” Dutton lost his entire 5.92 BTC retirement fund after downloading a fake Ledger Live app from Apple’s Mac App Store.
- On-chain investigator ZachXBT traced the stolen funds across nine transactions to KuCoin deposit addresses.
- ZachXBT also accused Apple of blocking urlscan.io from analyzing the fraudulent App Store listing.
On-chain investigator ZachXBT has openly accused Apple of suppressing independent scrutiny of fraudulent crypto apps on its Mac App Store, after Philadelphia musician Garrett Dutton — known to fans as G. Love of G. Love & Special Sauce — lost his entire 5.92 BTC retirement fund to a malicious Ledger Live clone downloaded directly from the official store.
@media only screen and (min-width: 0px) and (min-height: 0px) {
div[id^=”wrapper-sevio-e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941″] {
width: 320px;
height: 100px;
}
}
@media only screen and (min-width: 1650px) and (min-height: 0px) {
div[id^=”wrapper-sevio-e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941″] {
width: 728px;
height: 90px;
}
}
window.sevioads = window.sevioads || [];
var sevioads_preferences = [];
sevioads_preferences[0] = {};
sevioads_preferences[0].zone = “e0d3bc50-0aae-47cc-a8d7-f0c9a0cef941”;
sevioads_preferences[0].adType = “banner”;
sevioads_preferences[0].inventoryId = “502576df-3ba9-44d6-aa0c-8d4d40954bc3”;
sevioads_preferences[0].accountId = “265767db-939a-4138-8819-ebf4e3d5d360”;
sevioads.push(sevioads_preferences);
The stolen Bitcoin, worth approximately $424,175 at the time of the theft, was drained almost instantly after Dutton entered his 24-word seed phrase into the fake app while migrating his hardware wallet to a new Apple computer on April 11, 2026.
In a follow-up post that has since drawn widespread attention across the crypto community, ZachXBT shared a screenshot from urlscan.io showing an HTTP 400 error with the message “Scan prevented… The owner of this infrastructure has requested us to prevent scanning for it.” His caption was blunt:
It seems Apple does not want people documenting the fact they allow fake apps on the App Store.
How the $424K Theft Happened
According to Dutton’s own account on X, the loss occurred during a routine setup. He had purchased a new Apple MacBook Neo and needed to reconfigure his Ledger hardware wallet on the new device. He searched the Mac App Store for “Ledger Live,” found a listing that appeared legitimate, downloaded it, and followed its prompts—which included a request to enter his 24-word recovery seed phrase.
@media only screen and (min-width: 0px) and (min-height: 0px) {
div[id^=”wrapper-sevio-bf4b3de1-2d49-4069-adb2-b7d50bdcc555″] {
width: 320px;
height: 100px;
}
}
@media only screen and (min-width: 1650px) and (min-height: 0px) {
div[id^=”wrapper-sevio-bf4b3de1-2d49-4069-adb2-b7d50bdcc555″] {
width: 728px;
height: 90px;
}
}
window.sevioads = window.sevioads || [];
var sevioads_preferences = [];
sevioads_preferences[0] = {};
sevioads_preferences[0].zone = “bf4b3de1-2d49-4069-adb2-b7d50bdcc555”;
sevioads_preferences[0].adType = “banner”;
sevioads_preferences[0].inventoryId = “502576df-3ba9-44d6-aa0c-8d4d40954bc3”;
sevioads_preferences[0].accountId = “265767db-939a-4138-8819-ebf4e3d5d360”;
sevioads.push(sevioads_preferences);
That single action handed the attackers full, permanent control over every wallet derived from the seed. The Bitcoin, accumulated over a decade of work, was moved out within minutes. “I lost 5.9 BTC all I had for ten years I worked on this f#ck be careful out there,” Dutton wrote, tagging Apple directly and asking for recourse.
When some users on X questioned the plausibility of his story—pointing out that Ledger devices require physical confirmation for outgoing transactions—Dutton clarified that he had been socially engineered into typing the seed phrase voluntarily, which bypasses the hardware wallet’s protections entirely. “I been in the crypto circus since 2017. Today they caught me off guard,” he posted.
ZachXBT Traces the Funds to KuCoin
Within hours, ZachXBT had traced the stolen 5.92 BTC across nine separate transactions into deposit addresses associated with the centralized exchange KuCoin. He published the full list of transaction hashes, all of which remain publicly verifiable on any Bitcoin block explorer.
ZachXBT did not stop at the trace. Asked whether recovery was realistic, he expressed little optimism that KuCoin would intervene, citing what he described as the exchange’s selective compliance posture. He pointed specifically to KuCoin’s loss of its EU MiCA license in February 2026 — just three months after obtaining it from Austria’s financial regulator — and noted that the multiple deposit addresses suggested the use of an instant-exchange service that allows quick conversion and withdrawal without strong KYC checks.
Also Read: Dubai’s VARA Orders KuCoin to Halt All Crypto Operations
The Apple Suppression Angle
The most striking development in the case is ZachXBT’s allegation that Apple is actively obstructing third-party analysis of the fraudulent listing. The urlscan.io block—a free web infrastructure scanning tool widely used by security researchers—was triggered by the owner of the underlying infrastructure requesting an opt-out from scans.
For an investigator of ZachXBT’s stature to publicly call this out reframes the story from a single user’s misfortune into a question of platform accountability. Ledger has stated for years that it does not distribute Ledger Live through any consumer app store and that any app appearing under a name other than Ledger SAS is fraudulent. Yet impostor apps using homoglyph tricks and copycat icons continue to surface on both Apple’s and Microsoft’s stores—Microsoft acknowledged a near-identical scam in 2023 that drained nearly $600,000 from Ledger users.
As of publication, Apple has not issued a public response to the theft, Dutton’s appeal for help, or ZachXBT’s documentation-blocking claim.
A Pattern, Not an Isolated Incident
Cybersecurity firm Moonlock flagged a related pattern in 2025, documenting macOS malware specifically designed to replace legitimate Ledger Live installations and prompt users for their seed phrases. The attack vector remains depressingly simple: a user trusts a curated app store, installs what looks like the correct app, and types their recovery phrase when asked.
The broader numbers underline why this matters. The FBI reported that Americans lost more than $11 billion to crypto-related fraud in 2025, up from $9 billion the year prior—and seed-phrase phishing through impersonated wallet software remains one of the highest-yielding attack categories.
What Comes Next
Recovery of the stolen funds appears highly unlikely without coordinated law enforcement action involving KuCoin. Dutton has indicated he plans to move forward and has expressed gratitude for his health, family, and music career. No legal action against Apple has been announced.
What the incident has done, however, is force an uncomfortable conversation that the crypto industry has been having with itself for years — and that Big Tech has largely avoided. When users trust Apple’s vetting process and still suffer six-figure losses, and when independent investigators are blocked from documenting the failure, the question of platform accountability stops being theoretical.
Also Read: Inside DPRK Crypto Network: ZachXBT Analyzes Leaked Server Data
