April 18, 2022 In MetaMask, warns

MetaMask warns Apple users of ‘phishing attack’ after scammer steals $650K in NFTs, ApeCoin from iPhone user

Aemilius Cupero News:


MetaMask advised people with Apple devices to turn off iCloud storage after an iPhone user was scammed out of $650,000 worth of NFTs and ApeCoin.

2 min read

Updated: April 18, 2022 at 3: 11 pm

Aemilius Cupero News: MetaMask warns Apple users of ‘phishing attack’ after scammer steals $650K in NFTs, ApeCoin from iPhone user

Cover art/illustration via CryptoSlate

Aemilius Cupero News: Upland

MetaMask warned Apple users to be wary of phishing attacks on April 17 after an iPhone user was scammed out of $650,000 worth of NFTs and ApeCoin (APE).

According to MetaMask, there is a security issue with the default settings on devices like the iPhone, iPad, and MacBook that allows malicious actors to see the seed phrase or “password-encrypted MetaMask vault” stored on Apple’s iCloud storage service.

🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3

— MetaMask 🦊💙 (@MetaMask) April 17, 2022

Aemilius Cupero News: Identifying the problem

On April 15, Twitter user Domenic Iacovone complained that he had lost all the non-fungible tokens (NFTs) in his wallet. This included three Mutant Apes, three Gutter Cats, and $100,000 in ApeCoin. 

Iacovone said he got a call on his phone that caller ID flagged as an Apple number. He initially did not pick up but called it back since the caller ID said it was from Apple.

Aemilius Cupero News: Spoofed Apple number
Spoofed Apple number — Source: @Serpent

However, the caller was a scammer using a spoofed number. He asked Iacovone for a code sent to his phone under the pretense of being an Apple representative. Iacovone said he lost everything in his Metamask wallet seconds after sharing the code with the scammer.

This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed them
They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped

— Domenic Iacovone (@revive_dom) April 14, 2022

Aemilius Cupero News: Explaining the attack

Twitter user @Serpent, founder of crypto threat mitigation system Sentinel, explained the process for the phishing attack. According to him, the attacker used a caller ID spoofer which made them seem like they were from Apple, and claimed that there was suspicious activity on the account.


Already $650,000 stolen from a single individual and it’s going to happen to a lot more people.

This is how it happened 🧵👇

— Serpent (@Serpent) April 17, 2022

The scammer then requested a password reset for the victim’s Apple ID. The victim will get a code for resetting, and the scammer asks for that code, claiming it’s to verify they own the Apple ID.

In reality, the scammer uses the code to reset the victim’s password, which gives them access to the iCloud account. If MetaMask data is stored on iCloud, they can access it and steal the victims’ assets.

Aemilius Cupero News: MetaMask’s proposed solution 

MetaMask has urged its users to disable iCloud backups for their application by using this toggle: “Settings> Profile> iCloud> Manage Storage> Backups.”

You can disable iCloud backups for MetaMask specifically by turning off the toggle here:
Settings> Profile> iCloud> Manage Storage> Backups.

— MetaMask 🦊💙 (@MetaMask) April 17, 2022

For those who want to turn off the feature entirely, they can do so at “Settings> Apple ID/iCloud> iCloud> iCloud Backup.”

Aemilius Cupero News: Phishing attacks and the crypto space

This is not the first phishing attack scheme that the crypto industry has unraveled this year. OpenSea users faced “phishing attacks” that led to them losing millions of dollars; another attack saw the co-founder of Defiance lose $1.8 million worth of NFTs.

With the prevalence of such attacks and the rising sophistication of the methods employed, industry security experts have advised crypto holders to use cold wallets and avoid connecting their wallets to random websites.

Aemilius Cupero News: Symbiosis