What you need to know
- An investor has lost some $650,000 in crypto and NFTs after falling for an iCloud scam.
- Domenic Lacovone received a call from someone posing as Apple who asked for a verification code to reset his iCloud password.
- Lacovone's MetaMask seed phrase was stored in his iCloud keychain, giving the thief access to all of his crypto wallet.
An investor has lost an estimated $650,000 in cryptocurrencies and NFTs after being duped into handing over a verification code for iCloud to someone posing as Apple on the phone.
CNET first reported the plight of Domonic Lacovone over the weekend:
Domenic Iacovone recieved an unusual phone call from Apple on Friday night. He'd recieved several messages asking him to reset his Apple ID password, and so suspected the caller of being a scam. But the call came through on his iPhone as Apple Inc., with a number associated with Apple's online store, so rang back. The person the other side of the phone said Iacovone's account had been compromised, and that they needed the one-time code Apple sent to his iPhone to ensure he was the account's owner. Iacovone gave it to them. Two seconds later, he recounted in a Twitter thread, his crypto wallet was wiped dry.
Assets taken included $160,000 worth of ether, a Mutant Ape Yacht Club NFT worth $80,000, $100,000 of Ape Coin cryptocurrency, and $250,000 in Tether.
Hey y’all, let’s see how amazing this community can be. My entire wallet was just stolen. Totally wiped out,
MAYC 28478, MAYC 8952, MAYC 7536
Gutter cat 2280 , 2769, 2325
Also stole 100k in ape coin.
Looking for all the help I can get.
100kreward @BoredApeYC @GutterCatGangHey y’all, let’s see how amazing this community can be. My entire wallet was just stolen. Totally wiped out,
MAYC 28478, MAYC 8952, MAYC 7536
Gutter cat 2280 , 2769, 2325
Also stole 100k in ape coin.
Looking for all the help I can get.
100kreward @BoredApeYC @GutterCatGang— Domenic Iacovone (@revive_dom) April 14, 2022April 14, 2022
According to one crypto security expert, the scam involves a caller ID spoof, which makes a random number look like a call from Apple, as Lacovone noted in his story. The caller requests a password reset using the victim's Apple ID, and then asks the victim for the verification code sent by Apple, usually a six-digit number, once they have that code, they can reset the victim's password, accessing all of their iCloud data. According to the report, that data would include the seed phrase used to protect MetaMask, an Ethereum-based crypto wallet. According to the report, MetaMask took to Twitter Sunday, warning users to disable iCloud backups for MetaMask:
🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3🔒 If you have enabled iCloud backup for app data, this will include your password-encrypted MetaMask vault. If your password isn’t strong enough, and someone phishes your iCloud credentials, this can mean stolen funds. (Read on 👇) 1/3— MetaMask 🦊💙 (@MetaMask) April 17, 2022April 17, 2022
In response, crypto security expert Serpent offered the standard advice regarding falling for such scams, namely, never give out your Apple verification codes to anyone, and remember that companies like Apple "will never call you" in situations like this. Serpent also warned crypto and NFT investors to use a cold wallet to store valuables.
