The lead singer of an American “sloppy” rock band just had his retirement fund wiped out after downloading a malicious ledger from Apple’s App Store.
Garrett Dunton, the lead singer of G Love and Special Sauce, took to X on Saturday to detail the tragic events that led to attackers hijacking his entire retirement savings.
“I had a tough day today, I lost my retirement fund in a hack/scam,” Dunton said.
After buying a the new Apple Neo laptop, Dunton wanted to transfer his ledger over to the device.
In the meantime, he downloaded a new ledger, the software that tracks cryptocurrency transactions, from Apple’s App Store.
But what Dunton didn’t know was that the app he had downloaded was malicious, and upon entering his 24-word seed phrase, his account was wiped out.
“All my Bitcoin (BTC) was gone in an instant.”
Dunton had just under 6 BTC swiped from his account, which is roughly equivalent to $447,000 USD at the time of writing.
“I lost 5.9 BTC, all I had for ten years. I worked on this f**k be careful out there,” Dunton warned.
The app Dunton used was likely a spoof of a popular ledger app. Bad actors tend to create apps that impersonate well-known banks or, in this case, cryptocurrency platforms, to trick users into handing over their credentials.
Bad actors may have also used malware to automatically wipe out Dunton’s account, as he did say that his Bitcoin was “gone in an instant.”
The hack only involved his Bitcoin and nothing else, Dunton said.
App stores such as Apple’s App Store and Google’s Play Store have long contended with malicious apps bypassing human and automated reviews alongside other security measures.
The tech giant claims that it “provides layers of protection” to ensure that apps published are “free of known malware and haven’t been tampered with.”
However, it's known that Apple and other tech giants let a number of malicious apps slip through the net.
While Apple rejected 139,000 fraudulent developer enrollments, reviewed 7.7 million App Store submissions, and rejected 320,000 copycat apps, Dunton is an example of how easy it is to place full trust in an imperfect system.
Have thoughts about this topic? Others do, too. Join them in the discussion.
Cybernews’s senior information security researcher, Aras Nazarovas, explained that while publishing malicious apps on the App Store is difficult, it’s not impossible.
“Trying to upload a blatantly malicious app into the App Store would prove more difficult, as Apple uses heuristic (based on app behavior) scans for each app uploaded to the App Store,” Nazarovas said.
However, this “doesn’t mean it's impossible… with enough obfuscation and tricks to hide malicious behavior.”
Yet, this would require more sophisticated methods and more resources.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked