$650K MetaMask & iCloud Hack, Here's How to Stay Safe

$650K MetaMask & iCloud Hack, Here's How to Stay Safe

Over the weekend, a new MetaMask and iCloud phishing scam cost one web3 user over $650,000 when he accidentally reset his Apple ID password for the hacker. But how did the scammer gain access to this victim's MetaMask with just his Apple ID and iCloud password?

Here's how the new phishing attack works and how to stay safe.


New MetaMask & iCloud Phishing Scam

MetaMask saves your seed phrase file on iCloud via its mobile application if you have enabled iCloud backup for app data, which is default and commonplace for iPhone users. If a hacker gains access to your iCloud account, they have access to your password-encrypted MetaMask vault, which gives them access to your seed phrase.

Once a hacker has access to your seed phrase, it's game over. They can access your MetaMask crypto wallet and drain your entire account in minutes.

In this specific case, the scammer sent multiple Apple ID password reset requests to the victim's iCloud account. This was intended to make it look like a suspicious hacking attempt was currently taking place.

Then, the scammer called the victim from a phone number with Apple Inc. as the caller ID. They claimed to be Apple support and requested to reset the victim's Apple ID password. The scammer sent a code to the victim, who then gave the code to the scammer, and that's all it took. 

The scammer hung up the phone, used the code to reset the victim's Apple ID password, logged into the victim's iCloud account, found the victim's seed phrase, and drained the victim's account of over $650,000 in cryptocurrencies.


How to Stay Safe From This MetaMask & iCloud Hack

There are a few best practices to stay safe from phishing scams like the one mentioned above:

  1. Use a cold wallet to store your cryptocurrencies. The two most popular hardware wallets, also called offline wallets, are Ledger and Trezor.
  2. Always protect your personal data and never give access codes to anyone. Scams and hacks are getting more elaborate, and it is sometimes difficult to tell what is real and fake. Err on the side of caution.
  3. Never tell anyone your seed phrase. Always keep it offline.

To combat this specific phishing scam, MetaMask suggests disabling iCloud backup for MetaMask's application. To do this, go into your iPhone's settings, then go to Profile --> iCloud --> Manage Storage --> Backups. Turn off the toggle.

You can also turn off iCloud backup by going into your iPhone's settings and choosing Apple ID/iCloud --> iCloud --> iCloud Backup. Turn off the toggle.

Stay safe out there.

Disclaimer: The author or members of the Lucky Trader staff may own NFTs discussed in this post. Furthermore, the information contained on this website or the Lucky Trader mobile application is not intended as, and shall not be understood or construed as financial advice. AI may have assisted in the creation of this content.