Parent Tactics: OAK-T11 (Custody and Signing Infrastructure); sub-Technique of OAK-T11.006 (Cold-storage Seed-phrase Exfiltration at Rest) Maturity: emerging Chains: chain-agnostic (wallet vault auto-backed-up to iCloud / Google Drive / OneDrive; downstream extraction across all chains the wallet supports) First documented: 2022-04-15 (iCloud-backup MetaMask / Dominic Iacovone case, ~$650K) Aliases: "iCloud-backup wallet drain", "cloud-backup seed exfiltration", "default-on backup compromise", "iOS-backup wallet compromise"
The wallet vendor's mobile app does not opt out of OS-level cloud-backup defaults (UIDocument.disableBackup / NSURLIsExcludedFromBackupKey on iOS; allowBackup=false on Android). The encrypted wallet vault is automatically synced to a cloud surface (iCloud for iOS, Google Drive for Android, OneDrive for Windows) tied to a separate-identity security posture — an Apple ID, Google account, or Microsoft account — whose compromise surface is independent of the wallet vendor's and the user's on-chain hygiene.
Compromise path: the user's cloud-account credential is compromised via SIM-swap, Apple-ID phishing, social-engineering of Apple/Google/Microsoft Support, or shared-device theft. The attacker accesses the cloud-backup containing the encrypted wallet vault. If the vault password is weak, it is brute-forced offline. The resulting plaintext yields the BIP39 seed phrase or private-key material that unlocks on-chain wallets.
The structural feature distinguishing T11.006.002 from sibling T11.006.001:
- T11.006.002 is opt-in by inaction: the user did nothing to opt out of an OS-level default, and the wallet vendor also did not opt out at the app level. No affirmative user action created the custody surface.
- T11.006.001 (User-Initiated Plaintext-Equivalent Seed Storage) is opt-in by user action: the user chose to put seed-phrase material into a password manager or storage service.
The user-side mental model "I'm self-custodial because I hold my own keys" collapses twice over: first, because the wallet app's cloud-backup default silently created a third-party custody surface (the cloud account); second, because the cloud account's security posture — SIM-swap susceptibility, Apple/Google Support social-engineering vectors — has no relationship to on-chain security hygiene.
- Victim wallet app is installed on a mobile device where OS-level cloud-backup is enabled (iOS iCloud Backup default; Android Google Drive backup default).
- Proximate compromise is at the cloud-account level (SIM-swap, Apple-ID phishing, Apple Support social-engineering, shared-device theft) rather than at the wallet-app or on-chain level.
- Victim has no other commonality with other drained users — the cloud-backup surface is per-victim and per-cloud-account.
- Wallet vendor issues public security guidance advising users to disable cloud-backup for the wallet app (canonical example: MetaMask's April 17, 2022 iOS-backup-disable advisory, two days after Iacovone's public disclosure).
- Wallet-vendor audit: verify whether the wallet's mobile app opts out of OS-level cloud-backup at the app level (iOS
UIDocument.disableBackup/NSURLIsExcludedFromBackupKey; AndroidallowBackup=false). Wallet-vendor cloud-backup behaviour varies across vendors and OS versions. - User-side audit: check whether the wallet app's data is included in the device's cloud-backup. On iOS: Settings > [name] > iCloud > Manage Storage > Backups > [device] > check for wallet app data. On Android: Google Drive > Backups.
- Cloud-account hygiene verification: strong, unique cloud-account password; hardware-backed two-factor authentication (not SMS-based, which is SIM-swap-vulnerable).
- Vendor-side cloud-backup posture transparency: wallet vendors should publish their cloud-backup posture (opt-in / opt-out / configurable) in user-facing documentation.
examples/2022-04-icloud-metamask-seed-phrase-cohort.md— iCloud-backup MetaMask seed-phrase cohort (canonical T11.006.002 anchor). Dominic Iacovone case, April 15, 2022, ~$650K-$655K in ETH, ERC-20 tokens, and NFTs. Apple ID phishing (spoofed Apple Support call requesting verification code) → iCloud Backup access → MetaMask vault brute-force → drain. MetaMask issued public iOS-backup-disable guidance on April 17, 2022. Broader cohort losses through 2022–2024 not centrally tabulated.examples/2022-2024-android-google-drive-wallet-backup-cohort.md— Android Google-Drive wallet-backup seed exfiltration cohort, 2022–2024. The Android-equivalent T11.006.002 surface: wallet apps that do not setallowBackup=falsein their AndroidManifest.xml, resulting in encrypted wallet vaults auto-backed-up to Google Drive. Google-account compromise (SIM-swap, phishing, credential-stuffing) → backup restoration → vault brute-force → drain.examples/2024-01-ios-whatsapp-icloud-wallet-backup-cohort.md— iOS WhatsApp iCloud-backup wallet-seed exfiltration cohort, 2024 (~$2.5M, ~30+ victims); demonstrates that T11.006.002 extends beyond wallet-app-specific cloud-backup (MetaMask/iCloud) to any application data storing seed-phrase material captured by default-on OS-level backups — the user's WhatsApp self-chat seed storage (T11.006.001) combines with iCloud's default-on backup capture (T11.006.002) to create a custody surface neither the user nor the wallet vendor actively opted into
examples/2022-2025-seed-phrase-at-rest-exfiltration-cohort.md— Seed-phrase at-rest exfiltration cohort, 2022–2025; combined T11.006 + T11.006.002 cohort-level anchor documenting third-party-storage seed-phrase compromise surfaces
mg-detectors-rs— coverage gap at v0.1. Detection surface is off-chain at the cloud-account / OS-backup layer.- Vendor coverage: wallet-vendor security advisories on cloud-backup behaviour; Apple / Google account-security advisories; MetaMask's April 2022 security guidance is the canonical vendor-side advisory pattern.
- Wallet-vendor responsibility (highest-leverage): opt out of OS-level cloud-backup at the app level; document the cloud-backup posture in user-facing security guidance; issue immediate post-incident advisories when cloud-backup-as-implicit-custody surface is exploited.
- User-side cloud-backup audit for wallet apps: disable cloud-backup for any wallet app that does not opt out at the app level. On iOS: Settings > [name] > iCloud > Manage Storage > Backups > [device] > disable wallet app data.
- Cloud-account hardening: strong, unique cloud-account password; hardware-backed 2FA (YubiKey / passkey, not SMS); awareness of Apple/Google Support social-engineering vectors that solicit verification codes.
- User-side seed-phrase storage hygiene: cold storage on physical media regardless of whether the wallet app stores an encrypted vault in cloud-backup. The cloud-backup surface is additive — even if the seed phrase itself is not in the backup, the encrypted vault is password-brute-forceable.
Canonical mitigations: OAK-M21, OAK-M22, OAK-M37.
- See
examples/2022-04-icloud-metamask-seed-phrase-cohort.mdfor the full citation set.
T11.006.002's structural OAK lesson: a wallet app that does not opt out of OS-level cloud-backup has created an implicit custody surface at the user's cloud account, and the cloud account's security posture — SIM-swap susceptibility, Support social-engineering — is the effective custody security model regardless of the wallet's on-chain security architecture.
The responsibility is split between wallet vendor and user. The vendor controls the app-level cloud-backup opt-out flag; the user controls whether the cloud account is hardened against SIM-swap and social-engineering. Either party's failure produces the T11.006.002 surface. The canonical MetaMask response — public advisory within 48 hours of the first public victim disclosure, explicit iOS-backup-disable guidance — is the vendor-side pattern.
The implicit nature of the custody surface is the class's defining feature: unlike T11.006.001 where the user chose to store seed-phrase material in a third-party service, T11.006.002 arises from OS-level defaults that neither the user nor the wallet vendor actively chose. Wallet-vendor cloud-backup posture disclosure is not currently standardised; a v0.x improvement target is per-wallet cloud-backup posture documentation as a standard field in wallet security audits.