How an Apple iCloud Exploit Lost a Crypto Trader Over $650K

One second, he gave who he thought was Apple a one-time Apple ID code. The next, his crypto was gone.

Domenic Iacovone recieved an unusual phone call from Apple on Friday night. He'd recieved several messages asking him to reset his Apple ID password, and so suspected the caller of being a scam. 

But the call came through on his iPhone as Apple Inc., with a number associated with Apple's online store, so rang back. The person the other side of the phone said Iacovone's account had been compromised, and that they needed the one-time code Apple sent to his iPhone to ensure he was the account's owner. 

Iacovone gave it to them. Two seconds later, he recounted in a Twitter thread, his crypto wallet was wiped dry.

An estimated $650,000-worth of cryptocurrencies and NFTs were gone in an instant. 

Among the assets Iacovone says were stolen from MetaMask wallet is at least $160,000 worth of ether, a Mutant Ape Yacht Club NFT worth around $80,000 and $100,000 of the Ape Coin cryptocurrency.

 Iacovone also reportedly had $250,000 in Tether, a stablecoin pegged to the US Dollar. 

The incident is more than a sophisticated, socially-engineered phishing hack. The immediate question asked by crypto and NFT traders: How could access to iCloud give a hacker access to someone's crypto wallet? 

When you create a wallet, you're given a 12-word seed phrase that's needed to access the wallet on new devices. The first rule of cryptocurrency trading is to protect your seed phrase at all costs. 

Unless a person has their seed phrase written down in a document stored on iCloud -- which Iacovone didn't -- it doesn't follow that iCloud access would lead to MetaMask access. 

The answer, as unearthed by a crypto security expert who goes by Serpent, is that using the MetaMask app on iPhone automatically stores a seed phrase file onto iCloud. 

MetaMask, the most used Ethereum-based wallet, released a statement on Twitter on Sunday over the unearthed security flaw, giving users instructions on how to disable iCloud backups. 

"Key takeaways," Serpent wrote in their Twitter thread. "Always use a cold wallet to store your valuables. Never give out verification codes to anyone. 

Protect your information, don't give out your phone number or your personal email. Caller information is easy to spoof. Companies like Apple will never call you." 

"Already $650,000 stolen from a single individual and it's going to happen to a lot more people," he wrote.

Post a Comment

Previous Post Next Post