Philadelphia-based singer-songwriter Garrett Dutton, better known by his stage name G. Love of the band G. Love & Special Sauce, has publicly shared a devastating financial setback. On April 11, 2026, Dutton revealed on social media that he lost approximately 5.9 BTC—valued at over $420,000 at the time—from his retirement savings.
The incident occurred while he was transferring his Ledger hardware wallet setup to a new computer.
I had a really tough day today I lost my retirement fund in a hack/Scam when I switched my @Ledger over to my new computer and by accident downloaded a malicious ledger app from the @Apple store. All my BTC gone in an instant.
— G. Love (@glove) April 11, 2026
In the process, he downloaded what appeared to be the official Ledger Live application directly from Apple’s Mac App Store.
However, the software was actually a counterfeit version designed to harvest sensitive information.
Dutton described the moment as a sudden and irreversible blow, noting that the entire balance of his decade-old Bitcoin holdings vanished instantly after he entered his 24-word recovery seed phrase into the fraudulent app.
He shared the transaction hash of the theft and even posted a Bitcoin address in a follow-up plea for community support to help rebuild his savings.
Blockchain investigator ZachXBT quickly traced the stolen funds, confirming roughly 5.92 BTC had been moved through a series of transactions and deposited into KuCoin addresses, effectively laundering the assets.
This latest episode highlights a persistent vulnerability in the cryptocurrency ecosystem where malicious applications that closely mimic legitimate wallet software are exploiting unsuspecting users.
Ledger users have encountered similar deceptions before. In May 2025, cybersecurity researchers at Moonlock Lab documented active campaigns distributing fake Ledger Live clones specifically targeting macOS users.
These imposters would replace the genuine app, display fabricated “critical error” alerts, and prompt victims to input their full recovery phrase under the guise of account recovery or security verification.
Once submitted, the seed phrase was transmitted to attacker-controlled servers, enabling immediate wallet drainage—precisely the method reportedly used against Dutton.
Ledger’s security track record includes other high-profile incidents that fueled comparable attacks.
The company’s 2020 customer data breach exposed names, email addresses, phone numbers, and physical details of over one million users.
That leak triggered years of follow-on phishing waves, including fake firmware updates, email alerts, and even physical letters mailed to victims urging them to “verify” their seeds via QR codes linking to counterfeit apps.
By 2025, scammers had escalated to impersonating Ledger support through cloned websites and app-store listings, often exploiting the same leaked database.
Official Ledger documentation repeatedly warns that the company will never request the 24-word recovery phrase through any app, email, or website—yet these tactics continue to succeed because they prey on users during routine actions like device migration or software updates.
While some online skeptics questioned details of Dutton’s account—pointing to Apple’s review process and the need for physical confirmation on hardware wallets—on-chain evidence and independent reporting have substantiated the loss.
The case serves as a painful reminder for crypto holders. We must always verify app publishers (the legitimate Ledger Live lists “Ledger SAS” as the seller, while fakes have used unrelated entities), download software exclusively from official sources, and never enter a seed phrase on any internet-connected device or third-party application. Even hardware wallets are only as secure as the user practices protecting the recovery phrase.