On-chain investigator ZachXBT issued an alert about a fake Ledger Live app on the Microsoft Store. Since removed, this malware spoofing the real Ledger Live has resulted in $588,000 in cryptocurrency theft.
Microsoft Store removes fake Ledger Live app
This night, on-chain investigator ZachXBT, known for his work against malicious actors in the crypto ecosystem, reported that a fake Ledger Live app had been deployed on the Microsoft Store:
Community Alert: There is currently a fake @Ledger Live app on the official @Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen
Scammer address
bc1qg05gw43elzqxqnll8vs8x47ukkhudwyncxy64q pic.twitter.com/rOZ0ZWRWbn– ZachXBT (@zachxbt) November 5, 2023
Since the alert was published, this scam has been removed from the Microsoft Store, but unfortunately it turns out that several people had time to download the malicious application. As a result, $588,000 worth of cryptocurrency (just over 16.8 BTC) was stolen.
Ironically, the Ledger Live application allows users to navigate the Web3 ecosystem securely. However, it can only be downloaded from Ledger’s official website, regardless of the reputation of any other third-party site offering the software for download.
When you receive a hardware wallet from the brand, the contents of the box contain the address to which you can download Ledger Live. In case of doubt, the DefiLlama search engine we recently reported on can be used to navigate safely to the Ledger website.
While in cases of cryptocurrency theft, the human factor is often the main flaw, this fraud is yet another reminder of the vigilance required when it comes to interacting with crypto applications. Here, the developer identified as “Official Dev” rather than “Ledger” could, for example, provide a clue.
In a way, this scam is reminiscent of the technique used by some malicious actors to use Google Ads to push their phishing links to the top of search results.
