‘Studio karaoke app in your hand’ SOMESING successfully launches beta service
The cryptocurrency community recently faced a serious security breach involving a counterfeit Ledger Live application on the Microsoft App Store. This incident, which led to the theft of over $768,000 in cryptocurrency, serves as a stark reminder of the vulnerabilities in digital asset security and the importance of vigilance among users.
execution of fraud
- Presence in Microsoft Store: A fraudulent app called “Ledger Live Web3” has been present in the Microsoft Store since October 19th. The theft was reported a few days later, indicating a brief but impactful vulnerability.
- Ignored red flags: Despite several red flags, including a lack of legitimate reviews (only one 5-star rating) and the developer’s name listed as “Official Developer,” the app deceived users. The description is almost completely copied from a legitimate app on the Apple Store.
- Victim’s Experience: Multiple victims have reported significant losses, with one Reddit user suffering a total of $26,500 in personal losses shortly after entering his seed phrase into the fake app.
Response and Aftermath
- Microsoft’s actions: Microsoft removed the app the same day the fraud was discovered, but not before the scammers had transferred more than $768,000 from victims.
- Investigation and review process: Microsoft is reportedly working to quickly identify and remove malicious content. However, this incident raises questions about the effectiveness of the app review process.
Lessons Learned and Recommendations
- User Boundaries: Due to this incident, users should be very careful when entering sensitive information, especially recovery phrases. Genuine apps from companies like Ledger or Trezor do not ask users to enter a recovery phrase on their computer or phone.
- Authenticity check: Users should check the authenticity of an app by checking official sources and paying attention to inconsistencies in the app description, developer name, and user reviews.
unfolding of fraud
Hackers sneaked a fake Ledger Live app into the Microsoft App Store, tricking users into believing it was a legitimate application from Ledger, a popular cryptocurrency hardware wallet manufacturer. These counterfeit apps are designed to look and function similar to the real Ledger Live app, making it difficult for users to distinguish between the fake and the real one.
People who were tricked into downloading a counterfeit version of the app inadvertently installed malware that could steal their cryptocurrency. The malware targeted users using Ledger hardware wallets with the intent of stealing digital assets and worked by capturing the users’ recovery phrases.
The creators of the fake apps were quite deceptive, meticulously mimicking the look and functionality of the genuine app, right down to the logo and branding. They even went as far as manipulating the fake Ledger device pin verification process. The striking similarities between genuine and counterfeit apps have made it quite difficult for users to distinguish between real and fake apps.
Financial implications and transaction details
The consequences of this fraud were serious. According to on-chain analysts: ZachXBT, attackers stole over 16.8 Bitcoin., the value of BTC is approximately $588,000 and the value of ETH is $180,000, resulting in a total loss of over $768,000. These thefts not only highlight the financial risks involved, but also highlight the sophistication of the methods used by cybercriminals in the cryptocurrency world.
Detailed fraud mechanics
- Financial Loss: Approximately $600,000 in Bitcoin was stolen by a fake Ledger Live app identified as “Ledger Live Web3.” The scammer received approximately 16.8 BTC (equivalent to approximately $588,000) through 38 transactions.
- Detailed transaction details: The first transaction to the scammer’s wallet occurred on October 24, and the wallet was inactive prior to that date. The largest transfer was $81,200 on November 4th. Approximately $115,200 was taken out of the scammer’s wallet, leaving approximately $473,800, or 13.5 BTC.
- Search and remove apps: The fraudulent app was first discovered on November 5 and appeared on the Microsoft Store as early as October 19. Microsoft has since removed the app and is working to prevent similar incidents.
ZachXBT’s contributions and findings
- Initial findings and warnings: ZachXBT has played a key role in raising awareness of counterfeit Ledger Live app scams. He warned the cryptocurrency community about the fake Ledger Live app on the Microsoft Store, which has led to significant Bitcoin theft.
- Theft details: According to ZachXBT, 16.8 Bitcoins worth approximately $588,000 were stolen due to the fake app. He highlighted the scale of the theft and the sophistication of the fraud.
- Additional Victims and Losses: In addition to the initial Bitcoin theft, ZachXBT also reported having another victim. ETH/BSC address lost $180,000 Due to fake Ledger application. This brought the total estimated loss to over $768,000.
- Criticism of the app review process: ZachXBT raised concerns about the app review process on major platforms like the Microsoft App Store. He questioned how these fraudulent apps are able to bypass normal security checks, suggesting that these processes may not be as diligent as they should be.
- Responses to community questions: In response to community questions about how these scams can occur, ZachXBT pointed out that app companies may not be vetting their apps thoroughly enough, allowing such fraudulent activity to slip through.
- Historical context: ZachXBT also pointed out that this is not an isolated incident. He noted that similar scams have occurred before. This is a fake app related to Trezor, another hardware wallet manufacturer that has appeared on the Apple App Store.
- Advocacy for Accountability: ZachXBT argued that Microsoft should be held accountable for allowing fake Ledger Live apps to appear in the app store, emphasizing the need for a more rigorous app review process to prevent such scams.
- Direct communication with the victim: ZachXBT received messages from several victims who lost their cryptocurrency after installing the fake app, further highlighting the real-life impact of the scam.
ZachXBT’s analysis and reporting were invaluable in uncovering the details of the counterfeit Ledger Live app scam. His findings not only highlighted the financial losses suffered by victims, but also raised important questions about the app store’s security measures and review processes. This incident, uncovered by ZachXBT, serves as a stark reminder of the risks associated with digital asset management and the importance of vigilance in the cryptocurrency community.
Responses and similar previous examples
As soon as Microsoft discovered the fraudulent app, it immediately removed it from the store. However, the incident has raised questions about the effectiveness of app review processes at major platforms such as Microsoft, Apple, and Google. These tech giants have faced similar problems in the past, where malicious applications disguised as legitimate software failed their review process.
In March 2021, a devastating event occurred for one individual. Counterfeit Trezor application found on Apple App Store, resulting in the loss of his entire Bitcoin savings. The criminal got away with 17.1 Bitcoin. In a statement to the Washington Post, the victim expressed more anger toward Apple than the actual robber.
“In the limited cases where criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future,” Apple said at the time.
App stores from Microsoft, Apple, and Google have unintentionally allowed numerous fraudulent apps to masquerade as legitimate software. These applications are often designed to phish users for their seed or login information with the intention of stealing their funds. Vigilance is key when checking the legitimacy of an app. This includes scrutinizing typos, mismatched icons or descriptions, and developer contact information.
Microsoft Roles and Responsibilities
- responsibility: The presence of fake apps in the Microsoft Store has raised questions about Microsoft’s responsibility for vetting applications. ZachXBT, the on-chain analyst who confirmed the scam, suggested that Microsoft should be held responsible for allowing fake apps on its platform.
- Previous incident: This isn’t the first time fake Ledger Live apps have appeared in the Microsoft App Store. Ledger’s support account had previously alerted users to similar counterfeit apps in December and March.
User vigilance is key
This event highlights the critical need for users to remain vigilant when downloading and using applications related to cryptocurrency management. Users should closely examine apps for red flags such as typos, mismatched icons, and suspicious developer contact details. It is also important to download apps only from verified sources and not from third-party stores.
Ledger’s Response and Recommendations
Ledger’s support team took immediate action to alert the community about the counterfeit application. They emphasized that Ledger will never ask users for a 24-word recovery phrase and advised downloading Ledger Live only from the official website.
Ledger: ‘We certainly report this, but only Microsoft can pull this back and work on their side’
Ledger also recommends that users check the authenticity of the binary installation file by comparing its hash value to the value listed on the website.
Lesson
This incident serves as a warning to the cryptocurrency community. This highlights the need for enhanced security measures and user training to combat evolving cybercriminal tactics. Users should exercise extreme caution, especially when handling applications that handle sensitive financial information.
conclusion
The counterfeit Ledger Live app scam is a reminder of the ongoing battle against cyber threats in the cryptocurrency world. As the industry continues to grow, attacks are becoming more sophisticated. It is important for both users and companies to stay ahead of these threats through vigilance, education, and strong security practices. This incident serves as a stark reminder of the ongoing threats to the digital asset space and the need for continued vigilance and education to protect against these sophisticated frauds.