Security agency research: Purchasing an overseas Apple ID may lead to the theft of crypto assets

According to @dilationeffect, after extensive research and analysis, a rarely noticed attack scenario was discovered, and it was successfully reproduced on some wallet apps. Many Chinese users will purchase (Taobao) or use a US Apple ID shared online. Because the iPhone's backup mechanism will back up mobile app data to the cloud, an attacker can restore your wallet app data on his phone using the same Apple ID as you. After tracking the stolen funds on the chain, it was found that there was a mature criminal gang behind it, and the stolen funds of the victim users have accumulated more than 10 million US dollars. If you have purchased or used an Apple ID provided by others, please stop using it immediately and transfer your wallet assets immediately.

The full text is as follows:

Recently, some people reported that their wallets were inexplicably stolen (coins and NFTs were emptied). The common feature was that they used iPhones, did not click on random links, and did not save the mnemonic phrases in the phone album or cloud service, but only copied them on paper. These users are puzzled.

To this end, we conducted a lot of research and analysis and discovered an attack scenario that is rarely noticed by people, and successfully reproduced it on some wallet apps.

There are country or region restrictions when downloading apps from the App Store. For example, accounts in mainland China cannot download some apps. Many users will purchase (Taobao) or use a US Apple ID shared online. Because the iPhone's backup mechanism will back up mobile app data to the cloud, an attacker can use the same Apple ID as you to restore your wallet app data on his phone.

In addition, the local access password of the wallet is not very complicated, and the attacker can easily crack it and transfer your assets away. After tracking the stolen funds on the chain, we found that there was a mature criminal gang behind it. The stolen funds of the victim users have accumulated more than 10 million US dollars.

Since there are many Web3 users who have purchased or used other people’s Apple IDs, the Expansion Effect Security Community hereby makes an urgent reminder:

1. For users who use iPhone and have installed the wallet app, if you have purchased or used an Apple ID provided by someone else, please stop using it immediately and transfer your wallet assets immediately. 2. This attack scenario has been successfully reproduced on some popular wallet apps on the market. We call on major wallet manufacturers to pay attention to and investigate this issue, actively optimize it, and issue reminders to users.