Bottom line: If you use crypto wallet MetaMask on an Apple device, make sure to disable your iCloud backups. Otherwise, you could find yourself being scammed out of your digital assets in the same way as Domenic Lacovone, a crypto trader who lost $650,000-worth of cryptocurrencies and NFTs.
Lacovone tweeted that the incident began last week with multiple text messages asking to reset his Apple ID password. He then received a phone call from Apple claiming there was suspicious activity on his account, as indicated by the messages. He suspected it was a scam, as we all would, but the caller ID showed the number as "Apple Inc.," which is linked to the Apple Store. He called the number back just to make sure, and the person told him his account really had been compromised.
The person on the phone told Lacovone that they needed a one-time security code that Apple sent to his iPhone to confirm the account's ownership. He handed it over, and two seconds later, his entire MetaMask wallet was wiped clean.
This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed them— Domenic Iacovone (@revive_dom) April 14, 2022
They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped
The scammer, of course, had managed to secure Lacovone's iCloud credentials and just needed the two-factor authentication code to access his stored information, which the victim handed over because he believed the spoofed Apple phone number was genuine.
The compromised MetaMask wallet contained $160,000 worth of Ether, a Mutant Ape Yacht Club NFT worth around $80,000, about $100,000 of Ape Coin cryptocurrency, and $250,000 of stablecoin Tether.
How was this digital heist pulled off? A security expert using the moniker Serpent tweeted that MetaMask automatically saves a user's seed phrase, the 12-word phrase used to access the wallet on a new device, in a file on iCloud. Once the scammer had that phrase, they were able to empty the wallet.
3) The scammer will request a password reset for the victim's Apple ID— Serpent (@Serpent) April 17, 2022
4) The scammer will ask the victim for the code, claiming it is to verify they are the real owner of the Apple ID, when in reality they are using that code to reset the victim's password
MetaMask has confirmed the vulnerability and advised Apple users to disable backups for MetaMask specifically by going to Settings > Profile > iCloud > Manage Storage > Backups. But as Serpent notes, the best option would be to store digital assets on a cold (non-internet connected) wallet and remember that companies such as Apple will never call you.
"' If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn't strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on ') 1/3— MetaMask 🦊' (@MetaMask) April 17, 2022
The person who stole Lacovone's NFTs tried to sell them on OpenSea, but the non-fungible marketplace flagged them as suspicious, meaning they can't be looked up, sold, or transferred. At the time of writing, it appears that Lacovone still hasn't been able to retrieve any of his stolen assets.
While not phishing scams, we recently saw North Korean hackers steal over $615 million-worth of crypto from the Ronin network, and two men face 20 years in prison for a $1.1 million rug pull NFT scam.