Crypto wallet MetaMask warns iCloud users to disable backups after $650,000 phishing scam


Posts: 8,463   +104
Staff member
Bottom line: If you use crypto wallet MetaMask on an Apple device, make sure to disable your iCloud backups. Otherwise, you could find yourself being scammed out of your digital assets in the same way as Domenic Lacovone, a crypto trader who lost $650,000-worth of cryptocurrencies and NFTs.

Lacovone tweeted that the incident began last week with multiple text messages asking to reset his Apple ID password. He then received a phone call from Apple claiming there was suspicious activity on his account, as indicated by the messages. He suspected it was a scam, as we all would, but the caller ID showed the number as "Apple Inc.," which is linked to the Apple Store. He called the number back just to make sure, and the person told him his account really had been compromised.

The person on the phone told Lacovone that they needed a one-time security code that Apple sent to his iPhone to confirm the account's ownership. He handed it over, and two seconds later, his entire MetaMask wallet was wiped clean.

The scammer, of course, had managed to secure Lacovone's iCloud credentials and just needed the two-factor authentication code to access his stored information, which the victim handed over because he believed the spoofed Apple phone number was genuine.

The compromised MetaMask wallet contained $160,000 worth of Ether, a Mutant Ape Yacht Club NFT worth around $80,000, about $100,000 of Ape Coin cryptocurrency, and $250,000 of stablecoin Tether.

How was this digital heist pulled off? A security expert using the moniker Serpent tweeted that MetaMask automatically saves a user's seed phrase, the 12-word phrase used to access the wallet on a new device, in a file on iCloud. Once the scammer had that phrase, they were able to empty the wallet.

MetaMask has confirmed the vulnerability and advised Apple users to disable backups for MetaMask specifically by going to Settings > Profile > iCloud > Manage Storage > Backups. But as Serpent notes, the best option would be to store digital assets on a cold (non-internet connected) wallet and remember that companies such as Apple will never call you.

The person who stole Lacovone's NFTs tried to sell them on OpenSea, but the non-fungible marketplace flagged them as suspicious, meaning they can't be looked up, sold, or transferred. At the time of writing, it appears that Lacovone still hasn't been able to retrieve any of his stolen assets.

While not phishing scams, we recently saw North Korean hackers steal over $615 million-worth of crypto from the Ronin network, and two men face 20 years in prison for a $1.1 million rug pull NFT scam.

Permalink to story.



Posts: 737   +604
The rest of the 99.99999% of the population recommends that instead of turning off icloud backups, you stop listening to crypto bros telling you to be a "Diamond Hands" and just get rid of MetaMask and all your coins while you can still get *something* for them.
Nice take. Could you be a little more sensational though cause I don't think people here take you serious enough.
If you think it's going to eat dirt why don't you bet against it since you're so sure?

This was 100% the users fault. Fish bit the bait.


Posts: 1,083   +1,968
HAHAHAHA! The person is smart enough to utilize crypto and do things online, but too Fing stupid understand that companies don't call you asking for authorization to your accounts to verify passwords or TwoStep verification codes.

Apple doesn't give a rip if your account was hijacked. They will not call you to tell you it was hijacked. It is your responsibility to reach out to them and start the process.


Posts: 1,146   +1,683
Uh, I'm sorry but it's not an iCloud issue, it's a PEBKAC issue. Scammers gonna scam, no matter the tech.