MetaMask warns Apple users over iCloud phishing attacks

ConsenSys-owned crypto wallet provider MetaMask has sent out a warning to the community regarding Apple iCloud phishing attacks.

The security issue for iPhone, Mac and iPad users is related to default device settings which see a user’s seed phrase or “password-encrypted MetaMask vault” stored on the iCloud if the user has enabled automatic backups for their application data.

In a Twitter thread posted on Monday, MetaMask noted that users run the risk of losing their funds if their Apple password “isn’t strong enough” and an attacker is able to phish their account credentials.

To fix the issue, users can disable automatic iCloud backups for MetaMask as detailed:

If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on ) 1/3

— MetaMask (@MetaMask) April 17, 2022

The warning from MetaMask came in response to reports from an NFT collector who goes by “revive_dom” on Twitter, who stated on Friday that their entire wallet containing $650,000 worth of digital assets and nonfungible tokens (NFTs) was wiped via this specific security issue.

In a separate thread earlier today, DAPE NFT project founder “Serpent” — who also helped gain the attention of MetaMask via posting sharing the story with their 277,000 followers — gave a rundown of what happened to the victim.

They noted that the victim received multiple text messages asking to reset his Apple ID password along with a supposed call from Apple which was ultimately a spoofed caller ID.

As they were reportedly unsuspecting of the caller, “revive_dom” handed over a six-digit verification code to prove that they were the owner of the Apple account. The scammers subsequently hung up and accessed his MetaMask account via data stored on iCloud.

Key takeaways- ALWAYS use a cold wallet to store your valuables- Never give out verification codes to ANYONE- Protect your information, don't give out your phone number or your personal email- Caller information is easy to spoof. Companies like Apple will never call you

— Serpent (@Serpent) April 17, 2022

Related: MetaMask expands institutional offering by integrating new crypto custodians

After MetaMask posted the warning today, “revive_dom” expressed his frustrations with the company, noting that:

“I’m not saying they shouldn’t do it but they should tell us. Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90% of the people knew this I would bet none of them would have the app or iCloud on.”

While most of the community response was supportive, others were quick to emphasize the importance of using cold storage and doing a lot of due diligence when storing assets in a hot wallet.

5 sneaky tricks crypto phishing scammers used last year: SlowMist   Jan. 10, 2023
Bored Ape Yacht Club NFTs stolen in Instagram phishing attack   April 25, 2022
Google Ads-delivered malware drains NFT influencer’s entire crypto wallet   Jan. 16, 2023
'Haunts me to this day' — Crypto project hacked for $4M in a hotel lobby   Feb. 7, 2023
MetaMask issues scam alert as NameCheap hacker sends unauthorized emails   Feb. 13, 2023