NFT, loses more than 600 thousand dollars: the blame of a sophisticated scam and the lack of transparency of Metamask

A NFT Collector Lost Over $600,000thanks to an ingenious phishing attack and a vulnerability in iOS version of MetaMask little known. The story is told by Cnet: a major investor in crypto collectables has been approached multiple times by none other than Apple.

The incoming call log leaves no doubt: it is the Cupertino company that calls several times. However, the collector suspiciously decides to try calling the phone number and, surprisingly, on the other end of the receiver, an operator picks up. Apple She explains that she needs to verify his identity by giving him a code sent to his number. In short, the classic two-factor authentication. The collector diligently obeys, the call is cut off and poof…as if by magic its whole wallet for the Ethereum network is emptied.

There’s nothing left: his three are gone Mutan Ape Yacht Clubtwo Gutter Kat and finally dried up i $100,000 in ApeCoin, the new token from YugaLab. For the record, a single MAYC is about the same as a garage in a central area of ​​a medium to large city. We are talking about a loot of more than 600 thousand dollars.

Now the dynamics are at least partially clear: Apple has nothing to do with it, the criminals likely stole a real company phone number through a technique known as spoofing The code sent to the victim’s number was two-factor authentication to access their iCloud account. It remains (it goes) to understand that iCloud has to do with MetaMaskthe most widely used non-custodial wallet within the Ethereum ecosystem (and therefore among the most popular NFTs).

How is it possible that iCloud’s compromise has turned into the wallet’s compromise? The same Metamask social accounts reveal it: the seed phrase – the kingdom keys that allow you to access a wallet and export it to another device – it will be saved to . by default iCloud MetaMask never said this, but it’s basic information.

It’s as if your bank’s app has stored, in plain text, your customer code and your checking account PIN on iCloud, leaving this information to an attacker’s merchandise. With the difference that the banks are insured and in some cases can reimburse the victim in the event of bank fraud. But this is not happening in the world of cryptocurrencies and decentralized assets: all the NFTs stolen from the collector have already been sold, and the transactions – precisely by design of the Ethereum blockchain – are non-reversible. However, MetaMak is not a ‘masterless’ product, but is made by a company, ConsenSys Software Inc. It remains to be seen whether – due to this major omission – MetaMask will have to justify the theft or not.