LastPass Hackers Drain $5.36M From Over 40 Addresses: ZachXBT

Last updated:

Author

Sujha Sundararajan

Author

Sujha Sundararajan

About Author

Sujha has been recognised as 🟣 Women In Crypto 2024 🟣 by BeInCrypto for her leadership in crypto journalism.

Last updated:

Why Trust Cryptonews

Cryptonews has covered the cryptocurrency industry topics since 2017, aiming to provide informative insights to our readers. Our journalists and analysts have extensive experience in market analysis and blockchain technologies. We strive to maintain high editorial standards, focusing on factual accuracy and balanced reporting across all areas – from cryptocurrencies and blockchain projects to industry events, products, and technological developments. Our ongoing presence in the industry reflects our commitment to delivering relevant information in the evolving world of digital assets. Read more about Cryptonews

Ad Disclosure

We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.

LastPass threat actors have allegedly stolen $5.36 million from more than 40 victim addresses, blockchain sleuth ZachXBT reported.

The stolen funds were swapped for Ethereum (ETH) and transferred to various instant exchanges from Ethereum to Bitcoin (BTC), ZachXBT wrote on Telegram.

The LastPass security breach originated in December 2022, when attackers stole vast data, including customer keys and API tokens.

Last year, ZachXBT and MetaMask developer Taylor Monahan reported tracking the movement of funds from 80 compromised wallets. The wallets were targeted on October 25, 2023, where around 25 individuals have reportedly lost $4.4 million in crypto.

Another batch of crypto hacks tied to LastPass was reported in February 2024, resulting in losses of over $6.2 million.

“Cannot stress this enough, if you believe you may have ever stored your seed phrase or keys in LastPass migrate your crypto assets immediately,” wrote ZachXBT in a post last year.

US Court Filed Lawsuit Against LastPass

Early in 2023, several users reported losing significant amounts of crypto from wallets. LastPass stored the keys of these user wallets.

Following the incident, the US District Court of Massachusetts filed a lawsuit against the company in January 2023. The court alleged that the company failed to protect user data adequately.

The attack apparently allowed hackers to gain access to the corporate laptop of an engineer working for the platform. The employee laptop provided them with the source code, confidential technical documentation, and internal system secrets.

The hackers also stole the backup of encrypted customer vault data. This could be decrypted if the attacker successfully guessed the account’s master password through brute force.

The first breach enabled the attacker to extract 14 of LastPass’s 200 source code repositories, Cryptonews reported last year. This was followed by a more extensive attack, leading to the acquisition of a copy of the LastPass customer database.