When iPhone user Phillipe Christodoulou downloaded the Trezor app from the App Store in February, he thought he was getting a way to check his bitcoin balance by plugging his Trezor device into his iPhone’s Lightning port via a micro USB-to-Lightning adapter. Instead, the Washington Post reports, he lost his entire savings in an instant—17.1 bitcoin worth $600,000.
Trezor is not a fly-by-night bitcoin company. It was one of the first companies to offer a personal hardware wallet and has been endorsed by Twitter’s Jack Dorsey. But Trezor doesn’t make an iPhone app and its U2F hardware token doesn’t work with the iPhone. Trezor’s website does state that, “Use of your Trezor device on iOS is currently not (yet) supported,” but unless you’re diving into the tech specs you could miss it.
The device Christodoulou used stores a personal 12- to 24-word recovery seed and has a display “to fully inform you about the authentication request before you approve it.” The app he used seemingly took that information to siphon bitcoin from his account.
But Christodoulou doesn’t blame Trezor for the theft. He blames Apple for approving the app in the first place. Apple told the Washington Post, “In the limited instances when criminals defraud our users, we take swift action against these actors as well as to prevent similar violations in the future,” and a search in the App Store for a Trezor app doesn’t bring up any specific results. Apple declined to tell the Washington Post whether it has contacted the authorities about the app.
According to the publication, Apple approved the app as “a ‘cryptography’ app that would encrypt iPhone files and store passwords,” and the developer specifically told Apple that it was “not involved in any cryptocurrency.” However, it quickly changed itself into a cryptocurrency wallet, which Apple doesn’t allow but also doesn’t track until alerted by a user. Once it was notified of this particular scam, Apple removed the app and a follow-up app that appeared days later in the store.
Apple told Christodoulou it is looking into the issue, but it’s unlikely he’s the last iPhone user to suffer such a scam. In the same report, in fact, iPhone user James Fajcz also claims he was duped by a fake Trezor app to the tune of $14,000.