An iCloud crypto wallet attack saw an estimated $650,000 worth of cryptocurrency and NFTs stolen from a trader within seconds.

While the attack relied on a sophisticated piece of phishing, it also revealed a key iCloud vulnerability with MetaMask …

CNET reports.

Domenic Lacovone recieved an unusual phone call from Apple on Friday night. He’d recieved several messages asking him to reset his Apple ID password, and so suspected the caller of being a scam. But the call came through on his iPhone as Apple Inc., with a number associated with Apple’s online store, so rang back. The person the other side of the phone said Iacovone’s account had been compromised, and that they needed the one-time code Apple sent to his iPhone to ensure he was the account’s owner. Iacovone gave it to them. Two seconds later, he recounted in a Twitter thread, his crypto wallet was wiped dry.

An estimated $650,000-worth of cryptocurrencies and NFTs were gone in an instant. 

The phishing explains how the thief got access to his iCloud account, but how did they use that to access his MetaMask cryptocurrency wallet?

The answer, as unearthed by a crypto security expert who goes by Serpent, is that using the MetaMask app on iPhone automatically stores a seed phrase file onto iCloud […]

“Key takeaways,” Serpent wrote in their Twitter thread. “Always use a cold wallet to store your valuables. Never give out verification codes to anyone. Protect your information, don’t give out your phone number or your personal email. Caller information is easy to spoof. Companies like Apple will never call you.” 

“Already $650,000 stolen from a single individual and it’s going to happen to a lot more people,” he wrote.

MetaMask had not responded to CNET’s request for comment at the time of writing but did tweet a warning, with instructions on how to disable the backup.

Photo: Art Rachen/Unsplash

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear