MetaMask Issues Phishing Attack Security Alert for iPhone Users

Software-based crypto wallet MetaMask has warned its users on Apple devices that their assets may be at risk from an iCloud-related phishing scam. 

MetaMask tweeted out the alert on April 18, stating that users of Apple devices should ensure their Apple ID password is “strong enough” and providing instructions for disabling iCloud backups:

🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3

— MetaMask 🦊💙 (@MetaMask) April 17, 2022

The alert comes after a Twitter user known as revive_dom reported losing US$650,000 of digital assets to the scam.

iCloud Stores MetaMask Seed Phrase 

The crucial vulnerability the scammers exploited is that, by default, iCloud backs up the MetaMask seed phrase and stores it digitally online. 

This means that if a MetaMask user on an Apple device hasn’t specifically turned off iCloud backups and a scammer can gain access to the user’s iCloud account, the scammer has full access to the digital assets stored in that user’s MetaMask wallet.

Classic Phishing Scam with a Twist

The details of how the scam was carried out against revive_dom were tweeted by Twitter user Serpent, who is also the founder of the NFT project DAPE: 

🚨 NEW PHISHING SCAM 🚨

Already $650,000 stolen from a single individual and it's going to happen to a lot more people.

This is how it happened 🧵👇

— Serpent (@Serpent) April 17, 2022

Essentially, the scammers raised the user’s suspicions by triggering numerous iCloud password reset attempts, which made it appear as though someone was trying to maliciously access the user’s iCloud account. 

The scammers then called the user from a spoofed number, which made them appear to be from Apple support. After the scammers established trust, the user mistakenly told them the two-factor authentication code to reset their iCloud password. The scammers then had full control of the user’s iCloud account and MetaMask wallet and stole all the user’s assets.

Scam Highlights Hot Wallet Security Risks

Most Twitter users have been supportive of revive_dom and other victims of this scam, but many have also emphasised the inherent risks of storing your assets on a hot wallet such as MetaMask and have suggested victims should have been using cold wallets such as Ledger and Trezor:

Im so sorry for all of this , were these assets in a Ledger?

— NC (@NC_Eth) April 16, 2022

MetaMask is a popular software wallet in the Ethereum ecosystem. It has made news recently for adding a feature that allows iOS users to purchase crypto directly through the MetaMask mobile app using a debit or credit card, and for blocking users from some countries, such as Iran and Venezuela, from accessing their wallets.