He was robbed of $650,000 in cryptocurrency and NFT via iCloud – CNET France

Domenic Iacovone got an unusual phone call from Apple last Friday. Previously, he had received several messages asking him to reset his Apple ID password, so he suspected a scam. But the phone call on his iPhone did show the name of Apple Inc, with a number associated with Apple’s online store. He felt confident and called back. The person on the other end of the line told her that her account had been compromised and that she needed the one-time code that Apple had sent to her iPhone to make sure he was the owner of said account. . Domenic Iacovone communicated the information. Two seconds later, he says in a Twitter thread, his cryptocurrency wallet was empty. About $650,000 worth of cryptocurrencies and NFTs disappeared in an instant.

Among the assets the victim claims were stolen from his MetaMask wallet were at least $160,000 worth of Ether, an NFT Mutant Ape Yacht Club worth around $80,000 and $100,000 in Ape Corner. There would also be $250,000 worth of Tether, a stablecoin pegged to the US dollar.

MetaMask passphrase was stored in iCloud

How could access to iCloud allow a hacker to siphon off a victim’s cryptocurrency wallet? When one creates a crypto wallet, one receives a secret recovery phrase consisting of 12 words which is required to access the wallet on new devices. The rule of thumb is therefore to protect this at all costs. In Domenic Iacovone’s case, the passphrase was stored in iCloud.

A crypto security expert who calls himself Serpent has
discovered that the MetaMask app for iPhone automatically stores a file containing the recovery phrase on iCloud. MetaMask responded to the discovery of this security flaw by giving users instructions on how to disable iCloud backups.

Always use a cold wallet to store your valuables. Never give verification codes to anyone
recommends Snake. ”
Protect your information, do not give out your phone number or personal email address. Caller information is easy to fake. Companies like Apple will never call you
. »

This incident highlights the main drawback of decentralized finance, namely the absence of central authorities to undo or reimburse damages. Blockchain transactions cannot be undone, which means MetaMask or any other company cannot refund lost assets. OpenSea, the largest marketplace for NFTs, can do little more than mark Domenic Iacovone’s account as “suspicious” to deter purchase of his stolen NFTs. It was too little too late, as the Mutant Ape stolen from his wallet was quickly sold for $80,000 (26.5 ether).

Let’s get MetaMask to update its terms of service and app to make it clear that it shares your recovery phrase with iCloud
“, tweeted Domenic Iacovone. ”
If we can save one person from this situation, it will be worth all the trouble
he concludes philosophically.

CNET.com article adapted by CNETFrance

Image: WorldSpectrum/Pixabay

We want to thank the author of this post for this outstanding web content

He was robbed of $650,000 in cryptocurrency and NFT via iCloud – CNET France

Explore our social media profiles along with other related pageshttps://metfabtech.com/related-pages/