Skip to content

Apple user loses $650,000 in seconds as iCloud hack exposes MetaMask vulnerability

As the market for cryptocurrencies and non-fungible tokens (NFTs) grows larger, it becomes an increasingly attractive target to hackers who devise new and more efficient ways to get their hands on other people’s assets, exploiting major vulnerabilities in platforms.

In one of the most recent hacking incidents, an attacker managed to steal a person’s entire collection of cryptocurrencies and NFTs worth more than $650,000, from their MetaMask crypto wallet, as reported by CNET on April 18.

A few days before, the victim, Domenic Iavocone, took to Twitter to convey what exactly happened:

According to Iavocone, the stolen assets included $160,000 worth of Ethereum (ETH), a Mutant Ape Yacht Club NFT worth an estimated $80,000, as well as $100,000 in ApeCoin (APE) and $250,000 in Tether (USDT).

Clearly, the hackers deployed a sophisticated phishing technique to gain access to the victim’s iCloud account. However, this did not explain how they gained access to his MetaMask wallet, which requires a 12-word seed phrase to enter. Iavocone didn’t have this seed phrase written down in any document stored on iCloud.

Using iCloud backup to get to the wallet

To provide an explanation, a security expert nicknamed Serpent said that iCloud automatically stores the seed phrase file of the person’s wallet if the MetaMask app is used on iPhone. In other words, gaining access to someone’s iCloud account will automatically grant access to their seed phrase file in such a case.

According to Serpent, “it’s going to happen to a lot more people” and the key to avoiding such unfortunate events is to:

“Always use a cold wallet to store your valuables. Never give out verification codes to anyone. Protect your information, don’t give out your phone number or your personal email. Caller information is easy to spoof. Companies like Apple will never call you.”

It is worth noting that a cold wallet, also called a hardware wallet or cold storage, is a physical device resembling a USB drive that stores an individual’s private keys and cryptocurrency completely offline, away from any attacks exploiting online software.

MetaMask details how to disable iCloud backup

In the meantime, MetaMask has posted on its Twitter account the instructions on how to disable this backup:

Considered a hot wallet, MetaMask is one of the most popular software cryptocurrency wallets for holding ERC-20 tokens and interacting with decentralized apps (dApps) on the Ethereum and Binance Smart Chain (BSC) networks.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account? Sign In

Services

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.