The app was swiftly taken down, but critics say Microsoft is partially responsible for the theft for not spotting the scam earlier. Separately, compromised credentials from a LastPass breach last year have led to $39 million in crypto assets vanishing over the past year.
Microsoft App Store users were targeted by a fake app named 'Ledger Live Web3', leading to over half a million dollars in losses. The app was designed to mimic the legitimate Ledger Live software and helped scammers steal almost $770,000 worth of crypto.
The scam came to light when cryptocurrency analyst ZachXBT reported that 16.8 Bitcoin, amounting to roughly $588,000, had been stolen by a scammer via 38 transactions to a specific wallet address. The transactions were traced back to the fake app, which was listed on Microsoft's store as early as October 19 masquerading as an official product provided by Ledger. The French company specializes in hardware wallets for cryptocurrency.
Notably, the scammer's wallet received its first transaction on October 24, 2023, but since then, the majority of the theft has occurred since November 2, with a peak transaction of $81,200 recorded on November 4. Adding insult to injury, the thief also made an additional $180,000 in tokens stolen from Ethereum and BNB Smart Chain, bringing the total plunder to around $770,000.
Microsoft swiftly removed the sham application after it came to light. The firm confirmed that it was working to detect and remove all malicious content.
App Stores are partly responsible
This incident raises questions about the diligence of application screening on popular app stores. Ledger had previously cautioned its customers against downloading fake apps. In a message published in late 2022, Ledger advised:
"Beware of fake Ledger Live applications published on the Microsoft Store. The only safe place to download Ledger Live is on our website. Ledger will NEVER ask you for your 24-word recovery phrase."
Users must download the companion application to use the company's crypto wallets. A rogue app can mislead users into unwittingly diverting their funds to a fraudulent address while believing they are placing their assets in a secure place.
Critics like ZachXBT argue that Microsoft bears responsibility for allowing such scams to proliferate, potentially eroding trust in the safety of app marketplaces. The number of scams, rug-pulls, and deceptive apps has skyrocketed as the DeFi sector continues to grow. These apps can often, and quite easily it seems, slip through the cracks of app store security measures. This is not an isolated issue for Microsoft; other platforms have faced similar predicaments with counterfeit or malicious applications.
LastPass Fiasco Leads to Almost $40 Million Loss
Crypto scams have become more sophisticated of late, sometimes catching out even the most cautious investors. Blockchain investigators uncovered another incident last month. They determined that various ongoing cyber thefts are probably due to compromised wallet credentials and recovery phrases stemming from last year's breach of the password management provider LastPass.
Crypto assets valued at around $39 million have reportedly been stolen thus far. In October, ZachXBT revealed that around $4.4 million in cryptocurrencies had been stolen from over 25 investors in connection to the LastPass issue.
High-profile breaches, such as the LastPass leak, highlight the potential vulnerabilities in the current digital asset management ecosystem. The fake Ledger app shows that these can also target owners of 'supposedly more secure' hardware wallets.