Musician G. Love loses about 5.9 BTC in Ledger Live impersonation scam after downloading counterfeit Mac App Store app (April 11, 2026)

Philadelphia-based singer-songwriter Garrett Dutton, known professionally as G. Love of G. Love & Special Sauce, said he suffered a major financial loss after a cryptocurrency wallet transfer went wrong. On April 11, 2026, Dutton reported that he lost approximately 5.9 BTC—valued at more than $420,000 at the time—from his retirement savings.

Dutton said the incident occurred while he was moving his Ledger hardware wallet setup to a new computer. He described downloading what appeared to be the official Ledger Live application from Apple’s Mac App Store, but said the software was counterfeit and designed to harvest sensitive information.

“I had a really tough day today I lost my retirement fund in a hack/Scam when I switched my Ledger over to my new computer and by accident downloaded a malicious ledger app from the Apple store. All my BTC gone in an instant.” — G. Love (April 11, 2026)

How the theft allegedly happened

Dutton said the fraudulent app prompted him to enter his 24-word recovery seed phrase. He described the loss as immediate and irreversible, stating that the entire balance of his decade-old Bitcoin holdings disappeared after the phrase was entered into the counterfeit software.

He shared a transaction hash of the theft and later posted a Bitcoin address, asking for community support to help rebuild his savings.

On-chain tracing and fund movement

Blockchain investigator ZachXBT reportedly traced the stolen funds, confirming that roughly 5.92 BTC was moved through multiple transactions and deposited into KuCoin addresses, a flow described as consistent with laundering activity.

Broader pattern of fake wallet apps

The episode underscores a recurring vulnerability in cryptocurrency ecosystems: malicious applications that closely mimic legitimate wallet software. Ledger users have faced similar deceptions before.

In May 2025, cybersecurity researchers at Moonlock Lab documented active campaigns distributing fake Ledger Live clones targeting macOS users. According to the report, the imposters replaced the genuine app, displayed fabricated “critical error” alerts, and urged victims to input their full recovery phrase under the guise of account recovery or security verification. Once submitted, the seed phrase was sent to attacker-controlled servers, enabling rapid wallet drainage—described as the method reportedly used in Dutton’s case.

Ledger-related incidents and security warnings

Ledger’s security history has included other events that have contributed to similar attack pathways. In 2020, a data breach exposed names, email addresses, phone numbers, and physical details of over one million users. The leak was followed by years of phishing activity, including fake firmware updates, email alerts, and physical letters mailed to victims urging them to “verify” their seeds via QR codes that led to counterfeit apps.

By 2025, scammers also escalated to impersonating Ledger support through cloned websites and app-store listings, often leveraging the same leaked database.

Ledger documentation repeatedly warns that the company will never request the 24-word recovery phrase through any app, email, or website. However, the tactics continue to succeed, particularly when users are performing routine actions such as device migration or software updates.

Context and practical takeaways

Some online skeptics questioned aspects of Dutton’s account, including Apple’s review process and the need for physical confirmation on hardware wallets. Still, the article notes that on-chain evidence and independent reporting have substantiated the reported loss.

The case is presented as a reminder for crypto holders to verify app publishers, download software only from official sources, and never enter a seed phrase on any internet-connected device or third-party application. It also emphasizes that hardware wallets are only as secure as the user’s handling of the recovery phrase.