Members of the crypto community have lost $768,000 after downloading a fake Ledger Live app from the Microsoft app store.
In a flash alert on X (formerly Twitter), cryptocurrency analyst ZachXBT sounded the alarm that Microsoft’s app market was housing a rogue app designed to steal crypto.
“Community Alert,” the crypto detective wrote. “There is currently a fake @Ledger Live app on the official @Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen.”
ZachXBT followed up with an update hours later confirming that the app’s developer had made off with $768,000 before Microsoft finally learned of the scam and yanked the app from its digital marketplace.
The scammer had “amended” his own version of the open source Ledger Live software before submitting it to the Microsoft Store. The app review team failed to notice some red flags, as highlighted by some.
According to BleepingComputer, the fraudulent app had been in the store since Oct. 19. The cyber news site also shares a Reddit post by a person claiming to have lost their life’s savings – $18,500 bitcoin and about $8,000 in alt coins – to this rogue app’s developer.
Microsoft, Apple and Google go to great lengths to try to ensure developers don’t submit malicious apps to their digital marketplaces, yet the sheer number of titles submitted every day can prevent 100% accuracy during app review. All three tech behemoths have had run-ins with rogue apps on their stores – especially the official app store for Android smartphones and tablets, Google Play.
Crypto aficionados would be smart to keep an eye out for red flags like one-star reviews, shady descriptions and company names, blatant copies of graphics shared with other apps, the lack of a support page, aggressive app permission requests, and so on.
Ledger, the official developer of the Ledger Live app, recommends users verify the authenticity of their binary installation file by comparing its hash value to the one listed here. For the time being, the safest place to download the official Ledger Live app is from the developer itself.