Phishing Scam Targets iCloud Backups Containing MetaMask Crypto Wallet Seed Phrase

by | Apr 28, 2022

What exactly are apps automatically writing to your cloud storage? A recent phishing scam targeting crypto wallets serves as a reminder to periodically check.

The MetaMask crypto wallet, the app most commonly used for Ethereum transactions, automatically writes the security seed phrase to Apple device users iCloud backups unless the feature is manually disabled. Many of MetaMask’s 30 million users are not aware of this feature, but hackers certainly are. Phishing scams are targeting Apple device users known to use the MetaMask app, attempting to reset their credentials and gain access to the device using Apple’s iForgot recovery system.

Apple device users targeted by phishing scam that drains crypto funds

The phishing scam makes use of a call that appears to come from Apple, with the attackers apparently able to spoof a phone number that appears to be legitimate. Apple does not call users for matters such as these, but this appears to be another thing that is not widely known.

The bogus call may be preceded by similar text messages. When the user responds, the scammer claims to be from Apple’s security department and says that the account may have been compromised. They will have a verification code sent to the user and ask that it be repeated to them. What the scammer is actually doing is having a verification code generated via iForgot and sent to the user. With the code, they can take over the account and retrieve the crypto wallet security phrase from iCloud in a matter of seconds. Draining the wallet can be done just as fast.

Thus far there has been only one verified successful attack using this method, but it was a doozy: $650,000 in assets stolen in a matter of seconds. Similar phishing scams are expected as there are likely millions of MetaMask users who are similarly vulnerable.

Crypto wallet instantly drained of over a half million dollars in funds

The unfortunate phishing scam victim lost a quarter of a million dollars in Tether, $160,000 in Ether, $100,000 in Ape Coin, and an NFT valued at $80,000 along with some other digital assets of smaller value. The scamsters are assumed to have an automated script ready that can retrieve the seed phrase from iCloud and drain the crypto wallet in under a minute once the victim gives them the one-time recovery code generated by Apple.

Security experts caution that Apple never reaches out to customers by phone about account access issues such as these, and contact by text message is rare. If there is any question, instead of directly replying to the contact information provided in a message, get in touch with an alternate source at the company to see if it is attempting to reach out about something. This will keep phishing scams from getting that initial foot in the door. If cloud storage is in use, it should also be regularly reviewed to see exactly what apps are writing to it.

How can we help?

2 + 8 =