Apple User Lost $650k In iCloud Crypto Scam | Screen Rant
An Apple user lost hundreds of thousands of dollars in cryptocurrency and non-fungible tokens (NFTs) after an iCloud backup compromised the seed phrase used to access the digital wallet. Many people use the company's cloud service for a variety of reasons, including the slew of subscriptions that Apple now offers for music, videos, games, and more. However, one of the most compelling features of iCloud is the ability to wirelessly backup data on an Apple device, which can be restored in the event the product is lost, stolen, or damaged. Though iCloud backups make it easy for users to have peace of mind regarding data redundancy, it is this very feature that led to a user losing an entire cryptocurrency wallet in a scam.
The emergence and popularity of cryptocurrency and NFTs have brought a new frontier for digitally owning items, but they've also brought new problems to the technology industry. The immense value of certain digital assets make them a target for hackers and scammers alike, which makes it risky to hold online items with high valuations in digital wallets. Other concerns, such as the cash out process for cryptocurrencies and the intense fluctuations in value, demonstrate the risk and reward that comes with cryptocurrency and NFTs. To make matters more complicated, the digital assets do not have legal tender status in the United States, which has significant tax and other legal implications.
Dominic Iacovone, a MetaMask user who also enabled iCloud backups, claims to have lost more than $650,000 in digital assets in a scam chronicled on Twitter. MetaMask is a cryptocurrency and NFT wallet, which holds digital assets, and is most popular for storing Ethereum. When a user logs on to MetaMask from a new device, they are required to enter a 'seed phrase' — a string of 12 words that is used to access a cryptocurrency wallet, and verify the identity of the owner. It is crucial to protect a seed phrase vigilantly, and for that reason, it is not recommended to store a wallet's seed phrase digitally. According to Iacovone, all of those rules were followed, but the seed phrase was still compromised through an iCloud scam.
Iacovone recalls receiving a phone call that appeared to come from Apple, and despite initially believing it to be fraudulent, the call was spoofed to look like it came from the company's online store. He attempted to redial the number, and connected with a scammer who said his Apple account was compromised and requested a six-digit verification code sent to Iacovone's phone. He obliged, giving the scammer all they needed to take control of the iCloud account. However, since the seed phrase for the MetaMask wallet wasn't stored on an iCloud file, users were puzzled as to how the crypto was stolen with just an Apple ID and password.
As it turns out, an iOS setting that can backup application data can automatically load seed phrases into the cloud, unbeknownst to users. "If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault," the official MetaMask account confirmed in a Tweet. "If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds." According to the company, there is a way to disable this feature, with a settings menu found by navigating to Settings > Profile > iCloud > Manage Storage > Backups. However, it has sparked online debate about app transparency, and Iacovone himself has demanded MetaMask to make it clearly stated that iCloud backups could compromise a cryptocurrency seed phrase.
Source: Dominic Iacovone/Twitter, MetaMask/Twitter , CNET