Bitcoin Hack. PHOTO: Cybercrime Magazine.

Small Biz Owner Hacked, Suffers Massive Bitcoin Loss

Blames Apple App Store for missing malware bait-and-switch

David Braue

Melbourne, Australia – May 20, 2021

Phillipe Christodolou is under no illusions about the difficulty of taking Apple to task about anything — but with his life savings in Bitcoin stolen by a malicious app and nothing to lose, he says, he has “no intention of letting it go, ever.”

“It,” in this case, is the disappearance of his 17.1 bitcoin — around $625,000 at current rates — after he inadvertently downloaded a malicious app from Apple’s App Store with the intention of managing the cryptocurrency holdings in his Trezor crypto wallet.

The money represented his life savings, which he had invested in Bitcoin with the funds left over after he sold his house to support a four-year survival plan for his New York City environmentally friendly laundry service, The Eco Laundry Company.

“I saw an opportunity to take a little bit of that money and invest it in a way that, over the longer term, would give us enough money back to be able to grow the business,” he told Cybercrime Magazine.

Ironically, he had bought the Trezor device to boost the security of his holdings — but when he finally got around to downloading the well-reviewed app and, as it requested, entering his Bitcoin seed phrase, his nightmare began as he saw his more than half a million dollars vanish within seconds.

Cybercrime Radio: Small business owner suffers massive Bitcoin loss

Taking on Apple to get his money back

Trezor, it turns out, doesn’t actually have an iOS app — meaning that the app he downloaded was a fake designed to trick App Store and Google Play Store users into giving up their passphrases in a scam that, Christodolou later learned, had caught at least four others.

The support of several of those people, with whom Christodolou has formed friendships and an impromptu support network as they share similar stories, has been invaluable through the aftermath of the loss — during which he has rapidly pushed through the five stages of grief in a difficult time that has been exacerbated by widespread online ridicule.

“When something like this happens, you feel completely alone and violated,” he explained, “and you feel like this terrible thing has happened. It took two months to recover psychologically and emotionally from that — but it has been helpful to say ‘we’re not going to let this go, and we’re getting those funds back.”

Taking on Apple

In the wake of the funds’ disappearance, Christodolou has been pushing back hard — reporting the theft to the FBI’s Internet Crime Complaint Center (IC3) and enlisting blockchain analytics firms Chainalysis and CoinFirm to help track the funds.

“They know that the funds are being tracked, they know where the funds are, and they will be updated in real time when anything changes with those funds,” he explained.

“I purposefully made a lot of noise about it publicly and made sure there were a lot of eyeballs on those funds. So if those funds are attempted to be cashed out anywhere, at any point, whoever tries to cash them out will be arrested.”

The process of making noise about the theft has introduced its own complications — not the least from a barrage of social-media ridicule that, he said, highlighted the “toxic culture around Bitcoin.”

“There’s no way to described how embarrassed I was when the Washington Post article came out and thousands of people were talking about what an idiot I am,” Christodolou explained, “and half the people that called me an idiot were people I know and respect and taught me everything I know.”

“That was heartbreaking — but at the same time, I had to step into that potentially shameful and embarrassing space to fight for what’s mine. I’ll step up and do what I can to try and change one little bit of the space.”

The “little bit” he’s focused on is Apple itself — which, he says, failed to detect a major change in the fake Trezor app after it was initially lodged as an encryption tool and approved through the technology giant’s normal App Store approvals process.

At some time after that, it appears, the authors swapped the original approved application — which had garnered a large number of positive reviews — for a very different application that had been engineered to capture seed phrases for money-hungry cybercriminals.

Despite Apple’s claims to be strict with its vetting of apps, this bait-and-switch had gone completely undetected — something that a furious Christodolou is still at a loss to accept.

“Any developer can upload an app to the App Store, get it approved through the official channels, and then morph it into whatever they want,” he said. “Apple admitted that they have no idea when that happens; they rely on their users to advise them when things like that happen — but in this case, it was too late.”

The company “haven’t been helpful at all” in resolving his loss or that of the others he has been in touch with, who have collectively lost millions of dollars.

“Apple claims to be the safest and most trusted place to download apps, when in fact that’s not a true claim at all,” Christodolou said. “Any app in that App Store could be stealing your identity or stealing your funds — and by the time you realize that, it would be too late.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.