Fake Ledger Live App Harvesting Recovery Phrases
Counterfeit versions of the Ledger Live application distributed via phishing sites, app-store lookalikes, and search-engine ads present a fake 'wallet restore' flow that requests the victim's 24-word recovery phrase and immediately transmits it to attackers.
Part of: Fake App Downloads
Last reviewed: 8 June 2026
Ledger Live is the official desktop and mobile companion app for Ledger hardware wallets. Its trusted reputation means victims are less suspicious of a convincing lookalike than they might be of an unfamiliar crypto application. Criminals have created fake Ledger Live apps that match the genuine interface almost pixel-for-pixel, distributed through phishing domains such as ledgerlive-app.com or through mobile-app marketplaces that allow third-party app submission.
Once a user installs the fake app and opens it, they are presented with a 'restore wallet' or 'connect device' flow that appears to require their 24-word recovery phrase as an identity step. In reality, entering those words transmits the complete seed to the attacker, who then imports it into a genuine hardware or software wallet and drains all associated accounts.
The attack is particularly damaging because Ledger's user base specifically chose a hardware wallet to keep their seed offline — they understand risk. The social engineering must therefore overcome that security awareness, typically by framing the request as a technical necessity during a device 'sync' or 'firmware update.'
How this scam works on the Ledger brand
The legitimate Ledger Live app (downloaded from ledger.com/ledger-live) never requires the user to enter their recovery phrase during normal operation. The seed is generated on the physical device and stays on it. Ledger Live communicates with the device over USB or Bluetooth but does not need to know the seed itself.
Fake Ledger Live apps are found in several ways: direct phishing emails after the Ledger customer database leak in 2020, which gave attackers real names and email addresses; Google and Bing search ads for 'Ledger Live download'; and fake app listings in third-party Android app stores. Some counterfeit apps have even briefly appeared in official stores before being removed.
The fake app's 'restore wallet' screen asks for seed words one at a time with a professional-looking progress bar. Once all 24 words are submitted, the app either crashes, shows a fake error, or appears to connect normally while silently transmitting the seed. The victim discovers the attack only when wallet balances appear to have been swept.
Common red flags
- You downloaded Ledger Live from a link in an email, a search ad, or a domain other than ledger.com
- The app asks you to enter your 24-word recovery phrase during setup, connection, or any other step
- The app's publisher name in the app store is not 'Ledger' exactly, or the download count is suspiciously low
- The app interface has subtle differences from screenshots shown on ledger.com
- A Ledger-branded email directs you to install an 'updated version' via a provided link
- The app claims your Ledger device needs a 'seed verification' step before it can connect
How to protect yourself
- Download Ledger Live only from ledger.com/ledger-live — bookmark this URL and do not use search ads
- Verify the installer using Ledger's official checksum provided on their GitHub releases page
- Your 24-word recovery phrase is entered only on the Ledger physical device screen — never in software
- Check the app publisher name in the app store carefully before downloading
- Be especially cautious if you received marketing from Ledger in 2020 or later — your data may be in circulation from the historical breach
- Report any suspicious Ledger-branded emails to [email protected]
How to report it
- Report the fake app or phishing site to Ledger at [email protected]
- Report the app to the App Store or Google Play using the in-store report function
- Submit the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- File a report with the FTC at reportfraud.ftc.gov or IC3.gov (US) / Action Fraud (UK)
- If seed phrase was entered, immediately move all funds to a new wallet with a freshly generated seed phrase
Frequently asked questions
Why does Ledger Live never need my recovery phrase?
Ledger Live communicates with your physical Ledger device to retrieve public keys for displaying balances and preparing transactions for signing. The private keys and recovery phrase never leave the hardware device — Ledger Live genuinely has no technical need for them.
How do I recover from entering my seed phrase in a fake Ledger app?
Treat the seed phrase as permanently compromised. Open your genuine Ledger hardware device, factory reset it, generate a new seed phrase, and transfer all funds to the new wallet addresses. Do this before the attacker has a chance to drain everything — act as quickly as possible.
Is the Ledger Live app available on mobile?
Yes. The official Ledger Live mobile app is available on the Apple App Store and Google Play Store, published by Ledger. Always verify the publisher name matches exactly before installing.