Domenic Iacovone received a suspicious phone call from Apple on Friday (15/4), which said his Apple account was hacked and they needed an OTP that Apple sent to his iPhone to confirm that Iacovone was the real owner.
Of course Iacovone was tricked and gave the OTP code to the caller. Predictably, the fraudster immediately took over his iCloud account. So far, this incident is fairly common and can happen to anyone who hands over the OTP code to another party.
But specifically for Iacovone's case, the hacker not only stole his iCloud account, but also drained his crypto wallet which contained NFT and crypto currency worth USD 650 thousand. Amazingly, the process only took two seconds since Iacovone provided the OTP for his iCloud.
The stolen assets included ether worth USD 160 thousand, NFT Mutant Ape Yacht Club worth USD 80 thousand and cryptocurrency Ape Coin worth USD 100 thousand. He is also said to have USD 250 thousand in the form of Tether.
This incident is arguably a very sophisticated social engineering phishing-based hacking action. Because the hacker can access the crypto wallet just by stealing the iCloud account.
The problem is, when creating a crypto wallet, in this case the MetaMask used by Iacovone, the user needs to generate a 12-word seed sentence, which is needed to access the wallet on the new device.
This is how it happened, Got a phone call from apple, literally from apple (on my caller Id) Called it back because I suspected fraud and it was an apple number. So I believed them
They asked for a code that was sent to my phone and 2 seconds later my entire MetaMask was wiped
— Domenic Iacovone (@revive_dom) April 14, 2022