Hackers used Tinder to break into iPhones, stealing $1.4M Bitcoin

5comments
Hackers used Tinder to break into iPhones, stealing $1.4M Bitcoin
Yet another group of ingenious hackers has recently been discovered by cybersecurity firm Sophos, executing quite an elaborate scam on an international level. The scammers have been siphoning hundreds of thousands of dollars from unsuspecting victims via the most unlikely of means: dating apps. By the time they were discovered, they'd already pilfered $1.4 million—all in the form of Bitcoins.

The identities of the scammers and where the attacks originated from remain unknown, but Sophos was able to uncover their digital stash, which contained all the illegally accumulated wealth directed into a single (and jam-packed) Bitcoin wallet. Sophos has named the scheme "CryptoRom," and it was a show of a truly impressive level of skill in both programming and social engineering.

CryptoRom's victims were all iPhone owners


Although Apple has always touted its prioritization of top-notch security within its ecosystem, we all know that complete immunity is not only impossible, but often not the case, even with iPhones. 

And recently, over and over we've been hearing of cases where the iPhone's security safeguards ultimately failed their users—with the most recent discovery being an iOS 15 bug that leaves your phone vulnerable to being wiped remotely.

The hackers got into victims' iPhones via the Enterprise Signature system meant for developers


The victims from whom CryptoRom stole $1.4 million were all iPhone owners, and the hackers took advantage of the Enterprise Signature system particular to iPhones. Essentially, this system gives developers the ability to perform testing on new iPhone apps before submitting them to Apple for approval. 

Apparently, the Enterprise Signature was also a hidden backdoor allowing illegal access to personal devices, which could be (and was) exploited by malicious actors.


First, the attackers created fake Bitcoin trading apps. Then, they made fake online dating profiles


What makes the scam so elaborate is that it is highly intricate not only on a software level, but also on a social level. First, the CryptoRom perpetrators created fake Bitcoin trading apps, all of which funneled any money that went through through them into a single Bitcoin wallet, likely owned by the mastermind behind it all. 

Then, the scammers made a number of fake online profiles on dating apps such as Tinder and Bumble. Once they connected with someone, they committed to the fake relationship until they could convince their victims that they were making a lot of money off of the shady Bitcoin trading apps.

The facade was maintained until finally, they got the person on the other end to also invest a certain amount into said app. Of course, once that was done, the money went straight into the scammers' Bitcoin wallet. However, that's not where the damage stopped. 

The victims lost their money, and their iPhones (essentially)


Not only did this cost the victim a few hefty dollars—maybe hundreds, or thousands—but it also gave the attackers uninhibited access into their iPhone and all kinds of personal data. "With their fake crypto-trading apps, [the attackers could] gain remote management control over their devices," reported Sophos in a statement last week (via Business Insider).

While the scam first began spreading in Asia, it was quite successful and eventually made its way to international victims in the United States and Europe. And all of its profits were made off the backs of unsuspecting dating app users, leveraging the rising hype around cryptocurrency to essentially catfish their victims into unwittingly giving up both their money and privacy.


Did Apple allow these scam cryptocurrency apps into the App Store?


Because Apple continues to fight against the idea of allowing the downloading of apps from anywhere but the official App Store, there seems little merit to believe anything else but that these fake Bitcoin trading apps had, in fact, been approved by Apple to be published in the App Store.

Recommended Stories
Currently, unlike Android, app sideloading is still an impossibility on iOS (although legal battles may be putting an end to that soon), which puts Apple in serious hot water for allowing such a horrible scheme to take place, and for letting it go unnoticed for such a long period of time. 

Although Apple has certainly always focused on privacy much more than competing companies, it seems that the illusion of perfect protection within Apple's ecosystem is slowly beginning to crumble, as incidents like this keep happening.

Neither the pernicious apps nor the scammers have been named by Sophos, and we must assume that the applications have since been removed from the App Store. No part of this issue has been addressed by the company as of yet.





Create a free account and join our vibrant community
Register to enjoy the full PhoneArena experience. Here’s what you get with your PhoneArena account:
  • Access members-only articles
  • Join community discussions
  • Share your own device reviews
  • Build your personal phone library
Register For Free

Recommended Stories

Loading Comments...
FCC OKs Cingular\'s purchase of AT&T Wireless