17.1 BTC stolen from user Trezor via scam in the App Store

A Trezor wallet user lost 17.1 BTC, now worth nearly $ 1 million, after downloading a fake app from the Apple App Store.

Last month, Phillipe Christodoulou decided to test his bitcoins stored on the Trezor hardware wallet. To do this, the user downloaded a mobile application in the App Store. However, after downloading the app and entering the credentials, he found that his 17.1 BTC had been stolen. Then they cost about $ 600 thousand, but now their cost is close to $ 1 million.

The downloaded app turned out to be fake, despite being rated five stars. Christodoulou later went back to the App Store to take a closer look at the reviews. Before the fake Trezor app was removed from the App Store, it had 155 highly rated reviews. However, when Christodoulou opened the written reviews, he saw complaints from other people who had been deceived in the same way. It turns out that the five-star ratings were also fake. But the most interesting thing is that the mobile application for Trezor from the wallet developers does not exist at all.

Christodoulou said he was more offended by Apple than by the scammers themselves. Apple positions the App Store as a safe place to buy apps, each of which is rigorously reviewed. Apple has guaranteed the safety, reliability, usefulness, and uniqueness of all content on the App Store. The company also states that 15% to 30% commissions charged on all App Store trade transactions are used to improve customer service.

“I was once a regular customer of Apple, but now I no longer admire the company. Apple has betrayed my trust, and this should not get away with what happened, ”said the affected user.

Apple employee Fred Sainz responded that user trust lays the foundation for business. Numerous studies show that the App Store is one of the safest app markets in the world, and Apple is constantly working to maintain its standards and strengthen the App Store’s security. However, in some cases, criminals manage to deceive the company and users. Therefore, Apple is taking prompt action against attackers to prevent similar breaches in the future.

Apple has acknowledged that other fraudulent cryptocurrency applications have appeared in the App Store. However, the company did not clarify whether fake Trezor apps have appeared in the App Store in the past, or whether new apps called Trezor will be flagged as fraudulent. Apple also did not reveal the name of the developer of the fake Trezor app or provide contact information. It is not known whether the company passed this data on to law enforcement agencies, and whether there will be further investigation into this developer. Apple also did not disclose whether it created other applications, and whether this scammer could operate under different accounts on the site.

Experts believe it’s actually easy for scammers to circumvent Apple’s rules. Attackers can submit completely harmless applications for approval, and then make changes to them necessary to carry out phishing attacks. When Apple finds out about this, the company removes such applications and blacklists their developers. Unfortunately, it is already too late for people who have fallen into the bait of scammers. The ability of apps to turn into malware after App Store approval raises many questions about the effectiveness of Apple’s checks. In addition, the company does not disclose how often such fraudulent “products” appear or how quickly they are removed. At the same time, it is known that about 6,500 applications were removed last year due to “hidden or undocumented features.”

Coalition for App Fairness CEO Meghan DiMuzio believes Apple may be spreading false information about users’ privacy and security. According to DiMusio, Apple is inconsistent in applying its security standards to applications, and only does so when it benefits Apple.

British cryptocurrency fraud company Coinfirm reported that it has received over 7,000 complaints about the theft of digital assets since October 2019. The affected users used fake apps purchased from the Google Play Store and Apple App Store. Coinfirm reported that five people have already used the fake Trezor app for iOS, and their total losses amounted to $ 1.6 million. The company also received messages from people who downloaded the malicious Trezor app for Android, after which they lost $ 600,000 worth of cryptocurrencies.

Trezor is the first and most famous hardware wallet manufacturer. However, it does not have a mobile app, although the company has started working on it. Trezor spokeswoman Kristina Mazankova said the company has repeatedly notified Apple and Google about fake apps appearing in their app stores. However, the communication process is complicated by the fact that Apple and Google do not keep in touch. Mazankova said that on February 1, Trezor notified Apple of the appearance of the fake app, and Apple only removed it on February 3. However, the app reappeared after a few days.

According to rough data from Sensor Tower, the rogue Trezor app was in the Apple App Store from January 22 to February 3 and was downloaded about 1,000 times. Georgia engineer James Fajcz also reported stealing crypto assets after downloading a similar application. In December, he bought BTC and ETH for $ 14,000 and decided to store them on the Trezor hardware wallet. He later downloaded a rogue Trezor app that asked for a seed. According to the user, the app was not connecting to the Trezor wallet, so the engineer decided it was not working. A few weeks later, he bought more ethers, but connecting to his Trezor found that there was nothing there.

“Upon learning that the Trezor app didn’t really exist, my jaw dropped to the floor. I realized what I had done. How did this nefarious app end up on the App Store’s claim to being the best and most trusted app store? Apple must be held accountable for this, ”said the victim.

Analyst firm Chainalysis found that the crypto assets of Faitz and Christodoulou could have been stolen by the same attackers. The company found evidence that it was a massive, multi-million dollar scam. Christodoulou still has not recovered from what happened and is now forced to take medications and go to a psychologist.

Note that the owners of Ledger wallets are also often victims of phishing attacks, having lost more than 1,150,000 XRP.