Key Highlights
- ZachXBT publicly called out KuCoin for allegedly allowing the $9.5M+ laundering, responding to the exchange’s poll with on-chain evidence. He highlighted instant swaps, KYC loopholes, and mixer-like services, amid KuCoin’s prior $300M+ penalties and recent CFTC settlement.
- A counterfeit Ledger Live app on Apple’s Mac App Store drained over $9.5 million from 50+ victims between April 7–13, 2026, across Bitcoin, EVM, Tron, Solana, and Ripple. Victims were tricked into entering seed phrases; the three largest losses were $3.23M USDT, $2.079M USDC, and ~$1.95M in BTC/ETH/stETH. Apple removed the app on April 13.
- Stolen funds flowed into over 150 KuCoin deposit addresses linked to the AudiA6 mixing service. ZachXBT also flagged a separate $3.5M Bitcoin Depot theft (≈50 BTC) routed via 25+ KuCoin addresses days earlier.
Crypto investigator ZachXBT has thrown fresh accusations of lax anti-money laundering controls on Kucoin, a popular crypto exchange.
On Tuesday, the Seychelles-based exchange posted a poll asking users: Would you rather 10x your portfolio in 30 days (high risk) or steadily 5x it over 12 months (lower risk)? ZachXBT, known for tracking stolen crypto across blockchains, fired back with a sarcastic reply, adding the “C” option.
“Want to explain to the community why KuCoin allowed a threat actor to launder $9.5M+ tied to a fake Ledger app via 150+ KuCoin deposit addresses over the past week?” he wrote. He also attached on-chain diagrams showing funds flowing from victims who downloaded a malicious Ledger Live imitation into the exchange.
Just days earlier, another actor allegedly routed more than $3.5 million stolen in the Bitcoin Depot incident—roughly 50 BTC taken from compromised settlement accounts—through at least 25 KuCoin deposit addresses.
ZachXBT highlighted how the platform allegedly permitted instant swaps, KYC loopholes, and services resembling centralized mixers such as AudiA6, giving criminals quick off-ramps.
The post quickly gained traction, with replies piling up from other users sharing additional suspect deposits. One account flagged nearly 100 BTC moved into KuCoin-linked wallets tied to separate scams.
KuCoin’s historical regulatory scrutiny
KuCoin has faced repeated regulatory heat in recent years. In early 2025 it pleaded guilty to operating an unlicensed money-transmitting business, agreeing to nearly $300 million in penalties and forfeitures. At the time, its founders stepped down, and the platform committed to exiting the U.S. market.
In March 2026 CFTC settlement added a $500,000 civil penalty and made the U.S. ban permanent. Canada’s FINTRAC also hit the operator with its largest-ever penalty of over $14 million for AML and reporting failures.
Neither KuCoin nor its representatives immediately responded to requests for comment on ZachXBT’s latest claims. The exchange has previously said it works with law enforcement and continuously improves compliance systems.
Millions in crypto drained via fake Ledger app
In his latest finding, ZachXBT shared that a malicious fake Ledger Live app on Apple’s Mac App Store has been linked to over $9.5 million stolen from more than 50 suspected victims between April 7 and April 13, 2026.
The scam drained funds across multiple blockchains, including Bitcoin, EVM-compatible chains, Tron, Solana, and Ripple. The onchain investigator noted that the three largest victims each lost seven-figure sums.
According to Zach, victims were tricked into downloading the counterfeit app which prompted them to enter their 24-word recovery seed phrases. Once submitted, attackers gained full control and swiftly transferred the assets out.
The stolen funds were rapidly laundered through more than 150 KuCoin deposit addresses connected to AudiA6, a centralized mixing service known for charging high fees to obscure illicit crypto trails.
Notable individual losses include one victim on April 9 who lost $3.23 million in USDT, another on April 11 who lost $2.079 million in USDC, and a third on April 8 who lost approximately $1.95 million total—including 20.64 BTC, 211 stETH, and 70 ETH.
This incident underscores ongoing risks with third-party app stores and serves as a reminder that legitimate Ledger software is available only via Ledger’s official website. Apple removed the fraudulent app from the store on April 13 after multiple reports.
Also read: Deutsche Börse Takes 1.5% Stake in Kraken Through $200M Deal
