1.6 k

Man Loses $651,000 in iPhone scam, Accuses Metamask

A Twitter user under the alias “Domenic Iacovone” shared details of how a simple vishing scam led to a loss of his NFTs.  Iacovone has now launched repeated accusations at MetaMask and ConsenSys in the past 24 hours.

On April 15th, a MetaMask security vulnerability came to light when a crypto investor laid a complaint on Twitter. He stated that he lost more than half a million pounds after a phone call from a number identified as ‘Apple.’ This was, of course, a spoofed caller ID. Domenic says the attackers requested a code immediately sent to his phone. 2 seconds later; his entire MetaMask portfolio ceased to exist. 

Domenic Iacovone’s valuable non-fungible tokens were in the exploited wallet. He mentioned the following:

MAYC 28478, MAYC 8952, MAYC 7536, Gutter cat 2280, 2769, 2325, and 100k in ape coin.” 

Domenic’s MetaMask Claim

What started as a cry for help has exposed a possible MetaMask security flaw. When new users open a wallet, MetaMask assigns them a highly confidential seed phrase that must be private. Seed phrases are handy in the event of restoring a wallet or switching devices. Unknown to most apple users, iCloud also automatically backs up encrypted seed phrases. Subsequently, unauthorized access to your iCloud increases the risk of discovery of one’s seed phrase, and theft. The fraud victim was unaware of this setting.

Domenic Iacovone is set to take up a case with MetaMask. However, MetaMask never provided a direct reply to the tweets. Instead, they issued a step-by-step process of deactivating iCloud backup for cloud data 2 days later. They tweeted:

If you want to avoid iCloud surprising you with unrequested backups in the future, you can turn off this feature at Settings> Apple ID/iCloud > iCloud Backup.”

Metamask’s lack of response to the scam is a bit concerning, according to some of its responses, as it appears the team might be sidestepping accountability. ConsenSys, an Ethereum blockchain software company, is also a target of Domenic’s fury. Domenic expressed his rage by adding:

Don’t tell us to never store our seed phrase digitally and then do it behind our backs. If 90 percent of people knew this, I would bet none of them would have the app or iCloud on.”

Susceptibility and Poor Vigilance

Several Twitter users have voiced ridicule at the nature of the scam. However, according to Cisco’s 2021 cybersecurity threat trend report, more than 240,000 people are victims of similar attacks. Poor security awareness and complacency towards reading company policies are likely contributing factors to these events. The ignorance of the victim makes up for the absence of its sophistication. For someone with such a large command of assets, many feel Domenic should have been more vigilant.

What Is the Way Forward?

Domenic Iacovone set up a $100,000 reward for the recovery of the stolen funds. Domenic and Twitter users have also tagged OpenSea to flag the stolen NFTs. OpenSea has two major security measures for combating theft cases. The first is to sandbox the compromised account and block the stolen NFTs to make forensic tracings easier. Blocking the NFTs is time-sensitive, as it is only effective before the hacker sells it to another unsuspecting buyer.

Most stolen NFTs are likely gone forever. The only recent case of recovered NFTs occurred in February. Mintable decided to return some tokens they purchased without knowing that it was stolen from their original owners. Over a million dollars worth of NFTs from that exploit remains lost. However, with numerous publications and a scheduled Channel 5 interview, Domenic does not appear ready to give up.

MetaMask Hacks are Not Impossible

That malicious attackers get access to several Metamask wallets is not a new occurrence. There are Metamask app clones and multiple fake MetaMask browser extensions around the internet. The prevalence of airdrop links and dodgy crypto sites also traps newbies with no security knowledge. The two-factor authentication typically used by exchanges does not apply to MetaMask due to its decentralized nature. Since it is a hot wallet, there are chances that it is not one hundred percent secure.

To mitigate the risk of attacks, users are advised against storing large sums in their wallets. Metamask itself recommends that users get a hardware wallet once they have ample funds. While Apple users should disable app data iCloud backup, there is also a need to reiterate basic security principles. For example, users must keep one-time passwords (OTP), authenticator codes, etcetera, away from a third party.

Bitcoin live price
price change

Hackers work hard to develop ingenious ways to attack every second. The cryptocurrency world emphasizes users’ ability to DYOR (Do Your Own Research). The user has a  responsibility to be safe enough to avoid social engineering attacks.

Stay up to date with our latest articles