[crypto] DarkSword iPhone Exploit Threatens Crypto Wallets: What Every Holder Must Know Now₿ Crypto

Fake Ledger App and Obsidian Malware Drain Millions from Crypto Wallets

Apple App Store breach and PHANTOMPULSE trojan highlight escalating threats to digital asset self-custody.

May 3, 2026, 01:00 PM1,116 words13 sources
Fake Ledger App and Obsidian Malware Drain Millions from Crypto Wallets

Photo: Pixabay / Openclay

The Anatomy of a Multi-Million Dollar Deception

The crypto sector is currently battling a combination of complex social engineering and vulnerabilities within established platforms. This shift represents a significant evolution in how attackers exploit user trust. By merging psychological manipulation with technical flaws, hackers are finding new ways to bypass traditional security perimeters. In a staggering breach of trust, a counterfeit version of the Ledger Live application successfully bypassed Apple’s App Store review process, leading to the theft of approximately $9.5 million from over 50 victims in a single week [5][6]. This incident, occurring between April 7 and April 13, 2026, highlights a critical failure in the perceived security of official app distribution channels and underscores the evolving tactics of cybercriminals who are now weaponizing legitimate productivity tools like Obsidian to deploy stealthy malware [3][4]. As the industry grapples with these immediate threats, a new Bitcoin proposal, BIP-361, seeks to address the long-term existential risk of quantum computing, potentially forcing a controversial choice between network security and individual property rights [1].

The Apple App Store Breach: How $9.5 Million Vanished

For many investors, the Apple App Store represents a "walled garden" of verified, safe software. However, a malicious actor operating under the name "SAS Software Company" exploited this trust by listing a fake Ledger Live app [5]. The application used a "bait-and-switch" strategy, obtaining approval through legitimate means before altering its metadata to mimic the official self-custody wallet [5].

  • Victim Impact: More than 50 investors fell for the scam, with losses concentrated among high-net-worth individuals [5][9]. One victim lost $3.23 million in USDT, while another lost $2 million in USDC [5].
  • High-Profile Targets: Philadelphia musician Garrett Dutton (G. Love) reported losing 5.92 BTC—valued at approximately $420,000—after downloading the fake app while setting up a new computer [6][7].
  • The Mechanism: The fake app prompted users to enter their 24-word recovery seed phrase under the guise of "wallet restoration" [8]. Once entered, the attackers gained full control of the funds, as the seed phrase is the master key to the hardware wallet [12].

On-chain investigator ZachXBT traced the stolen assets through more than 150 KuCoin deposit addresses and into a centralized mixing service known as AudiA6 [6][7]. While Apple eventually removed the app on April 13, the delay has prompted discussions regarding potential class-action lawsuits against the tech giant for platform liability [6][8].

PHANTOMPULSE: Weaponizing Obsidian Plugins

Beyond fake apps, a new campaign is targeting financial professionals through the popular note-taking app Obsidian. Attackers are using elaborate social engineering on LinkedIn and Telegram, posing as venture capital representatives to build rapport with targets in the digital asset space [2][3].

Once trust is established, victims are invited to a shared "company database" hosted on a cloud-based Obsidian vault [3]. Upon opening the vault, victims are instructed to enable community plugin synchronization. This action triggers the silent execution of a previously undocumented remote access trojan (RAT) dubbed PHANTOMPULSE [3][4].

According to reports from Elastic Security Labs, PHANTOMPULSE is designed for extreme stealth and resilience:

  • Multi-Platform: The malware operates on both Windows and macOS, using AES-256 encryption and reflective loading to evade detection [2].
  • Decentralized C2: The trojan uses a command-and-control (C2) mechanism that spans three different blockchain networks [3]. By extracting instructions from on-chain transaction data, the malware eliminates reliance on centralized servers, making it nearly impossible for defenders to sever the link [3][4].
  • Financial Toll: This campaign contributes to a rising tide of wallet compromises, which accounted for over $713 million in stolen funds during 2025 [2][3].

Internal Threats and Extortion at Kraken

While external malware is a significant concern, internal vulnerabilities remain a persistent risk. Kraken, the second-largest crypto exchange in the U.S., recently revealed it is facing extortion demands from a criminal group [10]. The group claims to have videos showing access to Kraken’s internal support systems [11].

Kraken’s Chief Security Officer, Nick Percoco, stated that the exchange identified two instances of inappropriate access to limited client support data involving a member of the support team [10]. While the breach affected approximately 2,000 accounts (0.02% of the user base), Kraken has vowed not to pay the ransom, asserting that core trading infrastructure and client funds remain secure [11]. This incident highlights a trend of "internal infiltration + social engineering," where attackers recruit or compromise insiders to gain reconnaissance data for future phishing attacks [11].

The Quantum Threat: BIP-361 and the "Freeze" Controversy

As immediate scams proliferate, developers are also looking toward the future "Q-Day"—the moment a quantum computer becomes powerful enough to break current encryption. A new proposal, BIP-361 (Post Quantum Migration and Legacy Signature Sunset), co-authored by Jameson Lopp, suggests a radical defense: freezing Bitcoin that fails to migrate to quantum-resistant addresses [1].

The proposal outlines a three-phase timeline:

  1. Phase 1: Blocking inflows to vulnerable addresses roughly three years after activation [1].
  2. Phase 2: Freezing all legacy coins two years later [1].
  3. Phase 3: Providing a recovery path via zero-knowledge proofs for those who miss the deadline [1].

Currently, over 34% of all Bitcoin has exposed a public key on-chain, making those funds vulnerable to quantum theft [1]. However, the proposal is highly controversial. Frederic Fosco of OP_NET argued that a protocol-enforced freeze is "confiscation, full stop," suggesting it undermines the "not your keys, not your coins" ethos [1]. Conversely, proponents argue that without such measures, the first entity with a quantum computer could loot the network, causing a total price collapse [1].

The Stablecoin Dilemma: To Freeze or Not to Freeze?

The aftermath of these hacks has reignited the debate over stablecoin centralization. Circle CEO Jeremy Allaire recently clarified that the company will only freeze USDC wallets at the direction of law enforcement or courts, positioning USDC as a regulated financial product rather than an active intervention tool [13]. This stands in contrast to Tether (USDT), which has been known to blacklist stolen funds within hours of an exploit [13]. Critics like ZachXBT argue that Circle’s "slow approach" has allowed over $420 million in stolen funds to escape since 2022 [13].

Conclusion: A New Standard for Self-Custody

The recent wave of exploits—from the fake Ledger app on the Apple Store to the PHANTOMPULSE malware in Obsidian—demonstrates that even "trusted" environments are no longer safe [4][9]. Investors must internalize the golden rule of hardware wallets: never enter your seed phrase into any digital device [6][12]. As the industry moves toward quantum-resistant protocols and faces increasing internal and external threats, the burden of security remains firmly with the individual. Verifying app publishers, avoiding third-party plugins in sensitive contexts, and maintaining strict offline opsec are no longer optional—they are the requirements for survival in the modern digital asset economy.

Related

AI and DPRK Hackers Target Crypto Wallets in $285M Drift Exploit
Article

AI and DPRK Hackers Target Crypto Wallets in $285M Drift Exploit

Apr 20, 2026

GitHub Breach & npm Worm: CZ Warns Devs to Rotate API Keys
Article

GitHub Breach & npm Worm: CZ Warns Devs to Rotate API Keys

May 20, 2026

The Human & Technical Risks of Crypto: Wrench Attacks and Exploits
Article

The Human & Technical Risks of Crypto: Wrench Attacks and Exploits

May 4, 2026

Quantum Risks and Record Hacks: The 2026 Crypto Security Crisis
Article

Quantum Risks and Record Hacks: The 2026 Crypto Security Crisis

May 2, 2026

Hacked Crypto Tokens Plummet 61%, Rarely Recover
Article

Hacked Crypto Tokens Plummet 61%, Rarely Recover

Mar 20, 2026

Android Security Flaws Expose Crypto Wallets to Theft
Brief

Android Security Flaws Expose Crypto Wallets to Theft

Mar 12, 2026

Source Articles

This article is based on analysis of 13 source articles from our news database.

  1. 1
    Decrypt··decrypt.co·
  2. 2
    Blockonomi··blockonomi.com·
  3. 3
    Crypto··crypto.news·
  4. 4
    Cointelegraph··cointelegraph.com·
  5. 5
    Cointelegraph··cointelegraph.com·
  6. 6
    Crypto··crypto.news·
  7. 7
    Decrypt··decrypt.co·
  8. 8
    Finbold··finbold.com·
  9. 9
    Cointelegraph··cointelegraph.com·
  10. 10
    Bitcoinist··bitcoinist.com·
  11. 11
    Crypto··crypto.news·
  12. 12
    CrowdFundInsider··crowdfundinsider.com·
  13. 13
    Benzinga··benzinga.com·
Back to All Articles