What you need to know
- An investor has lost some $650,000 in crypto and NFTs after falling for an iCloud scam.
- Domenic Lacovone received a call from someone posing as Apple who asked for a verification code to reset his iCloud password.
- Lacovone's MetaMask seed phrase was stored in his iCloud keychain, giving the thief access to all of his crypto wallet.
An investor has lost an estimated $650,000 in cryptocurrencies and NFTs after being duped into handing over a verification code for iCloud to someone posing as Apple on the phone.
CNET first reported the plight of Domonic Lacovone over the weekend:
Domenic Iacovone recieved an unusual phone call from Apple on Friday night. He'd recieved several messages asking him to reset his Apple ID password, and so suspected the caller of being a scam. But the call came through on his iPhone as Apple Inc., with a number associated with Apple's online store, so rang back. The person the other side of the phone said Iacovone's account had been compromised, and that they needed the one-time code Apple sent to his iPhone to ensure he was the account's owner. Iacovone gave it to them. Two seconds later, he recounted in a Twitter thread, his crypto wallet was wiped dry.
Assets taken included $160,000 worth of ether, a Mutant Ape Yacht Club NFT worth $80,000, $100,000 of Ape Coin cryptocurrency, and $250,000 in Tether.
According to one crypto security expert, the scam involves a caller ID spoof, which makes a random number look like a call from Apple, as Lacovone noted in his story. The caller requests a password reset using the victim's Apple ID, and then asks the victim for the verification code sent by Apple, usually a six-digit number, once they have that code, they can reset the victim's password, accessing all of their iCloud data. According to the report, that data would include the seed phrase used to protect MetaMask, an Ethereum-based crypto wallet. According to the report, MetaMask took to Twitter Sunday, warning users to disable iCloud backups for MetaMask:
In response, crypto security expert Serpent offered the standard advice regarding falling for such scams, namely, never give out your Apple verification codes to anyone, and remember that companies like Apple "will never call you" in situations like this. Serpent also warned crypto and NFT investors to use a cold wallet to store valuables.