MetaMask Warns Users of New Apple iCloud Phishing Scam
MetaMask, the popular Ethereum non-custodial wallet, has warned Apple users to beware of possible iCloud phishing attacks.
In a recent tweet, the company said that the encrypted passwords for users’ crypto accounts, called MetaMask vaults, would be automatically uploaded to Apple’s cloud service if the iCloud backup option is enabled on the app.
This could result in a phishing account compromising the user's iCloud account and, consequently, their passwords and any linked crypto wallets.
Metamask also provided users with a guide on how to disable iCloud backups for their crypto wallets.
You can disable iCloud backups for MetaMask specifically by turning off the toggle here:Settings > Profile > iCloud > Manage Storage > Backups.2/3— MetaMask 🦊💙 (@MetaMask) April 17, 2022
Who was attacked?
The announcement comes in the wake of a Twitter user going under the alias “Domenic Iacovone” sharing details of his funds stored in a MetaMask wallet being “totally wiped out” by hackers.
“Got a phone call from Apple, literally from Apple (on my caller ID). Called it back because I suspected fraud and it was an Apple number. So I believed them. They asked for a code that was sent to my phone, and 2 seconds later, my entire MetaMask was wiped,” he wrote on April 15.
According to Domenic Iacovone, his wallet contained non-fungible tokens (NFTs) from the popular Mutant Ape Yacht Club (MAYC) collection, which included MAYC 28478, MAYC 8952, and MAYC 7536. It also had $100,000 in ApeCoin and other NFTs.
This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed themThey asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped— Domenic Iacovone (@revive_dom) April 14, 2022
Iacovone also offered a $100,000 reward for assistance to get his funds recovered.
According to “Serpent,” the founder of Dape NFT, Domenic Iacovone’s wallet contained as much as $650,000.
In a separate Twitter thread, serpent explained the hack details, saying, “MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim's Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.”
3/ MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim's Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim's MetaMask.— Serpent (@Serpent) April 17, 2022
As they stressed, this is “going to happen to a lot more people.”
MetaMask at the core of the Web3 community
Produced by New York-based web studio ConsenSys, MetaMask is one of the industry’s most popular wallets for storing Ethereum and other cryptocurrencies, with over 30 million monthly active users.
The wallet is also available through a browser extension, is connected to multiple Web3 applications, and is actively used to purchase NFTs.
Last month, MetaMask announced plans for a decentralized autonomous organization (DAO), with the primary goal of funding the wallet’s development.
A native token launch is also in the works.
"There is a DAO that is being formed right now in the context of MetaMask," Joseph Lubin, ConsenSys CEO, said at the time. "It won’t govern MetaMask, but it will enable the creation of novel new pieces of MetaMask to be funded."Source