Crypto wallet MetaMask warns iCloud users to disable backups after $650,000 phishing scam

0
Crypto wallet MetaMask warns iCloud users to disable backups after $650,000 phishing scam

Bottom line: If you use crypto wallet MetaMask on an Apple device, make sure to disable your iCloud backups. Otherwise, you could find yourself being scammed out of your digital assets in the same way as Domenic Lacovone, a crypto trader who lost $650,000-worth of cryptocurrencies and NFTs.

Lacovone tweeted that the incident began last week with multiple text messages asking to reset his Apple ID password. He then received a phone call from Apple claiming there was suspicious activity on his account, as indicated by the messages. He suspected it was a scam, as we all would, but the caller ID showed the number as “Apple Inc.,” which is linked to the Apple Store. He called the number back just to make sure, and the person told him his account really had been compromised.

The person on the phone told Lacovone that they needed a one-time security code that Apple sent to his iPhone to confirm the account’s ownership. He handed it over, and two seconds later, his entire MetaMask wallet was wiped clean.

The scammer, of course, had managed to secure Lacovone’s iCloud credentials and just needed the two-factor authentication code to access his stored information, which the victim handed over because he believed the spoofed Apple phone number was genuine.

The compromised MetaMask wallet contained $160,000 worth of Ether, a Mutant Ape Yacht Club NFT worth around $80,000, about $100,000 of Ape Coin cryptocurrency, and $250,000 of stablecoin Tether.

How was this digital heist pulled off? A security expert using the moniker Serpent tweeted that MetaMask automatically saves a user’s seed phrase, the 12-word phrase used to access the wallet on a new device, in a file on iCloud. Once the scammer had that phrase, they were able to empty the wallet.

MetaMask has confirmed the vulnerability and advised Apple users to disable backups for MetaMask specifically by going to Settings > Profile > iCloud > Manage Storage > Backups. But as Serpent notes, the best option would be to store digital assets on a cold (non-internet connected) wallet and remember that companies such as Apple will never call you.

The person who stole Lacovone’s NFTs tried to sell them on OpenSea, but the non-fungible marketplace flagged them as suspicious, meaning they can’t be looked up, sold, or transferred. At the time of writing, it appears that Lacovone still hasn’t been able to retrieve any of his stolen assets.

While not phishing scams, we recently saw North Korean hackers steal over $615 million-worth of crypto from the Ronin network, and two men face 20 years in prison for a $1.1 million rug pull NFT scam.

LEAVE A REPLY

Please enter your comment!
Please enter your name here