MetaMask has warned Apple users to disable automatic iCloud backup of their wallet data. The warning results from the losses sustained by an NFT collector, Domenic Lacovone, using the Twitter handle revive_dom.
The user posted on Friday that his wallet containing $650,000 worth of digital assets and NFTs (non-fungible tokens) was wiped out. In a series of tweets, the user revealed how he lost the funds. According to Lacovone, he got a phone call supposedly from Apple as the company’s number showed on his caller ID, so it didn’t raise suspicion.
The caller asked for a code sent to his phone. When he provided the code, his entire MetaMask wallet was wiped out within two seconds, including ApeCoin and NFT, worth around $650,000.
According to Lacovone, As of now, OpenSea (OpenSea.io – the highly popular and world’s largest NFT marketplace) has flagged all the stolen NFTs as suspicious.
Expert’s Opinion
Dape NFT founder, who uses the Twitter handle Serpent, examined the attack and posted a detailed analysis of the incident. According to Serpent, the attacker first requested a random password reset to raise suspicion. Using a caller ID spoofer, they called Lacovone as an Apple representative claiming that they noted suspicious activity on his account.
Then, they sent multiple text messages to the victim, asking him to reset his Apple ID password. The user handed them the six-digit verification code to prove his ownership of the Apple account, and immediately after, the scammer hung up.
Upon having access to the verification code, they quickly accessed Lacovone’s MetaMask account through iCloud. Serpent urged the community always to store their digital assets in a cold wallet and be cautious of scammers making spoofed calls. And they must never provide verification codes to anyone.
MetaMask Warns of Apple Phishing Attacks
Crypto wallet service provider MetaMask has issued a warning to Apple users after observing an increase in email phishing scams to steal users’ MetaMask assets and what happened with revive_dom. According to MetaMask, Apple users who have enabled automatic iCloud backups of their wallet data will have their seed phrase stored online.
As shown in the screenshot above, in a Twitter thread, MetaMask noted that Apple users might risk losing funds if their Apple password isn’t strong enough since an attacker can phish their credentials.
The Consensys-owned MetaMask further stated that the security issue affects Apple devices, including iPhone, iPad, and Mac, because of default device settings that expose a user’s seed phrase, which is a password-protected MetaMask vault stored on iCloud.
Therefore, users must disable automatic iCloud backups to fix the issue. The digital wallet provider also gave details instructions on how to stay safe. However, Lacovone isn’t satisfied with MetaMask’s response to the incident. The user noted that:
“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”
More NFT and iCloud Topics
- Official website of Banksy hacked for a fake NFT scam
- Phishing scam: NFTs Worth $1.7M Stolen from OpenSea Users
- OpenSea vulnerability allowed crypto theft with malicious NFTs
- iCloud phishing scam – Man stole private photos of 620,000 women
- iCloud Glitch? Woman buys iPhone, finds contact details of top celebs