Cryptonews Blockchain News

LastPass Hackers Drain $5.36M From Over 40 Addresses: ZachXBT

Crypto Hacks zachxbt

The stolen funds were swapped for Ethereum and transferred to various instant exchanges converting to Bitcoin.

Author

Sujha Sundararajan

Author

Sujha Sundararajan Verified

Part of the Team Since

Jun 2023

About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Has Also Written

Argentinian Crypto App Lemon Launches Bitcoin-Backed Credit Card
Staking Still Unavailable in Four States, Robinhood CEO Presses U.S. Lawmakers for Clarity
Pakistan, Trump-Linked WLFI Firm Sign Agreement to Explore Cross-Border Payments – Reuters
German DZ Bank Secures MiCAR License for Crypto Trading, Joins Qivalis Stablecoin Initiative
Crypto Firms Without EU License Remain Mute as MiCA Deadline Approaches – French Regulator

Author Profile

Last updated:

December 17, 2024

LastPass threat actors have allegedly stolen $5.36 million from more than 40 victim addresses, blockchain sleuth ZachXBT reported.

The stolen funds were swapped for Ethereum (ETH) and transferred to various instant exchanges from Ethereum to Bitcoin (BTC), ZachXBT wrote on Telegram.

The LastPass security breach originated in December 2022, when attackers stole vast data, including customer keys and API tokens.

Last year, ZachXBT and MetaMask developer Taylor Monahan reported tracking the movement of funds from 80 compromised wallets. The wallets were targeted on October 25, 2023, where around 25 individuals have reportedly lost $4.4 million in crypto.

Another batch of crypto hacks tied to LastPass was reported in February 2024, resulting in losses of over $6.2 million.

“Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately,” wrote ZachXBT in a post last year.

US Court Filed Lawsuit Against LastPass

Early in 2023, several users reported losing significant amounts of crypto from wallets. LastPass stored the keys of these user wallets.

Following the incident, the US District Court of Massachusetts filed a lawsuit against the company in January 2023. The court alleged that the company failed to protect user data adequately.

The attack apparently allowed hackers to gain access to the corporate laptop of an engineer working for the platform. The employee laptop provided them with the source code, confidential technical documentation, and internal system secrets.

The hackers also stole the backup of encrypted customer vault data. This could be decrypted if the attacker successfully guessed the account’s master password through brute force.

The first breach enabled the attacker to extract 14 of LastPass’s 200 source code repositories, Cryptonews reported last year. This was followed by a more extensive attack, leading to the acquisition of a copy of the LastPass customer database.