MetaMask Crypto Wallet Seeds Exposed In iCloud Backups, $650K Theft Shows

By   ISBuzz Team
Writer , Information Security Buzz | Apr 20, 2022 06:28 am PST

MetaMask, a cryptocurrency wallet and blockchain app gateway ( used by 21 mil+ investors, Tweeted a warning (raw link at bottom) to iOS users that if they have iCloud backup enabled, their wallets could be hacked if someone phishes their iCloud credentials.

With iCloud backup enabled, a user’s crypto “seed” (a key to their account, typically ~12 words) may be used by anyone to steal their assets.

@sentinelwtf founder @serpent  shares that a MetaMask user (@revive_dom) lost $655k in a phishing attack: “MetaMask actually saves your seed phrase file on your iCloud. The scammers requested a password reset for the victim’s Apple ID. After receiving the 2FA code, they were able to take control over the Apple ID, and access iCloud which gave them access to the victim’s MetaMask.”

Experts with Cyvatar and Shared Assessments offer comments.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Dave Cundiff
Dave Cundiff , Vice President
April 20, 2022 2:28 pm

As today’s technology becomes increasingly more complex users sometimes mistakenly assume that successful attacks will need to be equally complex. All items currently leveraging blockchain or web3 still rely on the fundamental building blocks of infrastructure. Servers, networking, users, authentication, etc. are all still fundamental pieces within the overall uses of these new technologies. As such sometimes deceptively simple attacks can allow for these types of successes on the part of the attacker. However, unlike a federally or institutionally insured banking entity there is currently limited recourse to recovery of funds. No matter the banking entity you are working with whether it be a cryptocurrency wallet or a traditional brick and mortar bank, NEVER follow text message instructions. 

Anytime you receive a text message saying you need to reset something it is imperative to go to the standard website from a different device to make the requested change. This will prevent even the possibility of a low-level attack like this from being able to begin even the first step. Additionally, there are currently no providers such as Apple or Google who will ever request your 2-factor code. If someone ever asks you to provide a verification code verbally over a phone call, they are most likely not a proper representative.

Last edited 1 year ago by Dave Cundiff
Nasser Fattah
Nasser Fattah , Executive Advisor
April 20, 2022 2:27 pm

Often when we backup our iPhones to the cloud, we don’t think of what to exclude in the event our Apple credential is compromised. Backups are often all or nothing.

Additionally, there is certain information, like passwords or pins, that should be deemed suspicious when being requested by support staff. When in doubt, or if you’re getting the heebie-jeebies, then it is time to stop engaging with the requester and call the official number of the entity that is asking for one’s sensitive information.

Last edited 1 year ago by Nasser Fattah

Recent Posts

Would love your thoughts, please comment.x