Philadelphia musician Garrett Dutton, better known as G. Love, says his long-term retirement stash of bitcoin vanished in one brutal hit after he installed what turned out to be a fake Ledger wallet app on a new Apple computer on Saturday. Dutton says the bogus software coaxed him into typing his 24-word recovery phrase, which let thieves seize control of his wallet and walk off with nearly 5.92 bitcoin, worth roughly $424,000 at recent prices.
According to Bitcoin.com News, Dutton went public the same day on X, where he shared a transaction hash and a donation address so fans could see the damage for themselves. On-chain investigator ZachXBT followed the money, tracing about 5.92 BTC through nine separate moves and into KuCoin deposit wallets, and put the value of the stolen coins at roughly $424,175. Dutton told followers he had been “caught off guard” and stressed that only his bitcoin holdings were hit.
How the scam worked
Security researchers have been warning for months about macOS malware that quietly swaps out real wallet apps for lookalike fakes designed to steal seed phrases. In 2025, Moonlock Lab documented campaigns that target Ledger users by removing the genuine Ledger Live app, then installing a nearly identical clone that throws up a fake “critical error” screen and demands the user’s 24-word recovery phrase. Entering those 24 words once is all it takes for attackers to seize full control of what is supposed to be a secure cold wallet, according to Moonlock Lab.
Ledger's guidance
Ledger’s official guidance is blunt: only download Ledger Live and related installers from Ledger, and never type a recovery phrase into any app, website or popup. The company stresses that legitimate setup and recovery steps happen on the hardware device itself, not inside a third-party program or an app store listing, and it provides verified installers and support directly through its site.
How to protect yourself
Experts say the biggest red flag is simple. Any unexpected prompt that asks you to type all 24 recovery words is a scam, and you should never enter your seed phrase into software or a browser window under any circumstances. Reporting and analysis outlets were already flagging this playbook in 2025 and 2026, and security coverage has urged users to double-check download sources, confirm developer names and, where possible, verify SHA-256 checksums for installers. For a rundown on the macOS side of these threats, see TechRadar. If you think your setup has been compromised, the advice is to spin up a brand-new wallet on a clean device, move any remaining funds to the new address, and alert exchanges if you spot suspicious deposits that appear tied to your stolen coins.
Dutton, who fronts the band G. Love & Special Sauce and is based in Philadelphia, said he intends to move forward and thanked his family and fans for their support, according to Bitcoin.com News. His loss is a stark reminder that hardware wallets only keep assets safe as long as recovery phrases stay secret, and that social engineering is still one of the most dangerous weapons in the crypto thief’s toolkit.
