Cryptonews Blockchain News

LastPass Hackers Drain $5.36M From Over 40 Addresses: ZachXBT

Crypto Hacks zachxbt

The stolen funds were swapped for Ethereum and transferred to various instant exchanges converting to Bitcoin.

Author

Sujha Sundararajan

Author

Sujha Sundararajan Verified

Part of the Team Since

Jun 2023

About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Has Also Written

Stablecoin Inflows Have Doubled to $98B Amid Selling Pressure – Report
Bitcoin Miner MARA Moves 1,318 BTC in 10 Hours, Traders Wary of Forced Miner Selling
Bitwise Files S-1 With SEC to Launch Uniswap-Focused ETF, UNI Token Slumps 16%
Bhutan Quietly Sells Over $22M in Bitcoin, Triggers Speculation Over Possible Sell-Offs
Crypto Firms Propose Concessions to Banks as Stablecoin Disputes Stall Key Crypto Bill – Report

Author Profile

Last updated:

December 17, 2024

LastPass threat actors have allegedly stolen $5.36 million from more than 40 victim addresses, blockchain sleuth ZachXBT reported.

The stolen funds were swapped for Ethereum (ETH) and transferred to various instant exchanges from Ethereum to Bitcoin (BTC), ZachXBT wrote on Telegram.

The LastPass security breach originated in December 2022, when attackers stole vast data, including customer keys and API tokens.

Last year, ZachXBT and MetaMask developer Taylor Monahan reported tracking the movement of funds from 80 compromised wallets. The wallets were targeted on October 25, 2023, where around 25 individuals have reportedly lost $4.4 million in crypto.

Another batch of crypto hacks tied to LastPass was reported in February 2024, resulting in losses of over $6.2 million.

“Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately,” wrote ZachXBT in a post last year.

US Court Filed Lawsuit Against LastPass

Early in 2023, several users reported losing significant amounts of crypto from wallets. LastPass stored the keys of these user wallets.

Following the incident, the US District Court of Massachusetts filed a lawsuit against the company in January 2023. The court alleged that the company failed to protect user data adequately.

The attack apparently allowed hackers to gain access to the corporate laptop of an engineer working for the platform. The employee laptop provided them with the source code, confidential technical documentation, and internal system secrets.

The hackers also stole the backup of encrypted customer vault data. This could be decrypted if the attacker successfully guessed the account’s master password through brute force.

The first breach enabled the attacker to extract 14 of LastPass’s 200 source code repositories, Cryptonews reported last year. This was followed by a more extensive attack, leading to the acquisition of a copy of the LastPass customer database.