Domenic Iacovone recieved an unusual phone call from Apple on Friday night. He’d recieved several messages asking him to reset his Apple ID password, and so suspected the caller of being a scam. But the call came through on his iPhone as Apple Inc., with a number associated with Apple’s online store, so rang back. The person the other side of the phone said Iacovone’s account had been compromised, and that they needed the one-time code Apple sent to his iPhone to ensure he was the account’s owner. Iacovone gave it to them. Two seconds later, he recounted in a Twitter thread, his crypto wallet was wiped dry.
An estimated $650,000-worth of cryptocurrencies and NFTs were gone in an instant.
Among the assets Iacovone says were stolen from MetaMask wallet is at least $160,000 worth of ether, a reportedly had $250,000 in Tether, a stablecoin pegged to the US Dollar.worth around $80,000 and $100,000 of the Ape Coin cryptocurrency. Iacovone also
The incident is more than a sophisticated, socially-engineered phishing hack. The immediate question asked by crypto and NFT traders: How could access to iCloud give a hacker access to someone’s crypto wallet? When you create a wallet, you’re given a 12-word seed phrase that’s needed to access the wallet on new devices. The first rule of cryptocurrency trading is to protect your seed phrase at all costs. Unless a person has their seed phrase written down in a document stored on iCloud — which Iacovone didn’t — it doesn’t follow that iCloud access would lead to MetaMask access.
The answer, as unearthed by a crypto security expert who goes by Serpent, is that using the MetaMask app on iPhone automatically stores a seed phrase file onto iCloud. MetaMask, the most used Ethereum-based wallet, released a statement on Twitter on Sunday over the unearthed security flaw, giving users instructions on how to disable iCloud backups.
“Key takeaways,” Serpent wrote in their Twitter thread. “Always use a cold wallet to store your valuables. Never give out verification codes to anyone. Protect your information, don’t give out your phone number or your personal email. Caller information is easy to spoof. Companies like Apple will never call you.”
“Already $650,000 stolen from a single individual and it’s going to happen to a lot more people,” he wrote.
The incident highlights the major downside to decentralized finance, the lack of any central authorities to undo or refund damages. Blockchain transactions can’t be reversed, meaning MetaMask or any other firm can’t refund the lost assets. OpenSea, the biggest marketplace for NFTs, can do little more than mark Iacovone’s account as “suspicious” to dissuade others from buying his stolen NFTs. It was too little too late, as the Mutant Ape stolen from his wallet was quickly sold for $80,000 (26.5 ether).
“Let’s all get MetaMask to update their terms and app to clearly state that they share your seed phrase with iCloud,” Iacovone tweeted on Monday. “If we can save one person from this it will be worth all the trouble.”
MetaMask was contacted for comment but did not immediately respond.