Attention Turns to Historic Bitcoin Project Libbitcoin Following Mysterious $900K Vanishing

'Razzlekhan' and Husband Reach Plea Deal in Multi-Billion Dollar Bitfinex Hack Money Laundering Case

DeFi Protocol Conic Finance Suffers 1,700 Ether Hack

Apple called Domenic Iacovone on Friday night in a very strange way. A lot of messages had asked him to change his Apple ID password, so he thought the person who called was a scammer. It came through on his iPhone as Apple Inc., with a number linked to Apple's online store. So he called back. They said that Iacovone's account had been hacked, and that they needed the one-time code Apple sent to his iPhone to make sure he was the account's owner, so they called. He gave it to them. Then, two seconds after he wrote about it on Twitter, his crypto wallet was empty.

Some $650,000 worth of cryptocurrency and NFTs were gone in a flash.

People who use MetaMask say that someone took at least $160,000 worth of Ethereum, a Mutant Ape Yacht Club NFT worth about $80,000, and $100,000 worth of the Ape Coin cryptocurrency. It is also said that Iacovone had $250,000 in Tether, which is a stablecoin that is linked to the US Dollar.

 

The attack is more than just a sophisticated, socially-engineered phishing scam. Traders who use crypto and NFTs quickly ask: How could someone get into iCloud and get into someone's crypto wallet? When you make a wallet, you get a 12-word seed phrase that you need to get it on new devices. The first rule of cryptocurrency trading is to always keep your seed phrase safe at all costs, no matter what. If a person doesn't have their seed phrase written down in a document that is stored on iCloud, it doesn't follow that iCloud access would give them access to MetaMask. Iacovone didn't have that document.

Serpent, a crypto security expert who goes by that name, found out that when you use the MetaMask app on your iPhone, it stores a seed phrase file on iCloud. MetaMask, the most popular Ethereum-based wallet, tweeted a statement about the security flaw on Sunday. It gave users instructions on how to disable iCloud backups, so they can keep their money safe.

Key points, Serpent wrote in a tweet. "A cold wallet is always the best place to keep your money and other important things safe. Verification codes should never be given out to other people. Do not give out your phone number or personal email address to anyone. In this case, it is very easy to change the information about the person who called you. Apple won't call you."

Already $650,000 has been taken from one person, and it's going to happen to many more.

The incident shows one of the main problems with decentralized finance, which is that there aren't any central authorities that can undo or refund damage. Blockchain transactions can't be reversed, so MetaMask or any other company can't give back the money that was lost. There isn't much OpenSea can do to stop people from buying Iacovone's stolen NFTs, but they can mark his account as "suspicious." As soon as the Mutant Ape was stolen from his wallet, it was sold for $80,000. It was too late (26.5 ether).

We should all get MetaMask to change their terms and app so that it is clear that they share your seed phrase with iCloud, Iacovone said on Monday. This will be worth it if we can help one person.

MetaMask was asked for comment, but did not respond right away.

Related post