Software-based crypto wallet MetaMask has warned its users on Apple devices that their assets may be at risk from an iCloud-related phishing scam.
MetaMask tweeted out the alert on April 18, stating that users of Apple devices should ensure their Apple ID password is “strong enough” and providing instructions for disabling iCloud backups:
The alert comes after a Twitter user known as revive_dom reported losing US$650,000 of digital assets to the scam.
iCloud Stores MetaMask Seed Phrase
The crucial vulnerability the scammers exploited is that, by default, iCloud backs up the MetaMask seed phrase and stores it digitally online.
This means that if a MetaMask user on an Apple device hasn’t specifically turned off iCloud backups and a scammer can gain access to the user’s iCloud account, the scammer has full access to the digital assets stored in that user’s MetaMask wallet.
Classic Phishing Scam with a Twist
The details of how the scam was carried out against revive_dom were tweeted by Twitter user Serpent, who is also the founder of the NFT project DAPE:
Essentially, the scammers raised the user’s suspicions by triggering numerous iCloud password reset attempts, which made it appear as though someone was trying to maliciously access the user’s iCloud account.
The scammers then called the user from a spoofed number, which made them appear to be from Apple support. After the scammers established trust, the user mistakenly told them the two-factor authentication code to reset their iCloud password. The scammers then had full control of the user’s iCloud account and MetaMask wallet and stole all the user’s assets.
Scam Highlights Hot Wallet Security Risks
Most Twitter users have been supportive of revive_dom and other victims of this scam, but many have also emphasised the inherent risks of storing your assets on a hot wallet such as MetaMask and have suggested victims should have been using cold wallets such as Ledger and Trezor:
MetaMask is a popular software wallet in the Ethereum ecosystem. It has made news recently for adding a feature that allows iOS users to purchase crypto directly through the MetaMask mobile app using a debit or credit card, and for blocking users from some countries, such as Iran and Venezuela, from accessing their wallets.
Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.