In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass<\/strong> in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.<\/p>\n On March 6, federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as \u201cVictim-1,\u201d but according to blockchain security researcher ZachXBT<\/strong> the theft was perpetrated against Chris Larsen<\/strong>, the co-founder of the cryptocurrency platform Ripple<\/strong>.<\/p>\n ZachXBT was the first to report on the heist<\/a>, of which approximately $24 million was frozen by the feds before it could be withdrawn. This week\u2019s action by the government merely allows investigators to officially seize the frozen funds.<\/p>\n But there is an important conclusion in this seizure document: It basically says the U.S. Secret Service<\/strong> and the FBI<\/strong> agree with the findings of the LastPass breach story published here in September 2023<\/a>. That piece quoted security researchers who said they were witnessing six-figure crypto heists several times each month that they believed all appeared to be the result of crooks cracking master passwords for the password vaults stolen from LastPass in 2022.<\/p>\n \u201cThe Federal Bureau of Investigation has been investigating these data breaches, and law enforcement agents investigating the instant case have spoken with FBI agents about their investigation,\u201d reads the seizure complaint, which was written by a U.S. Secret Service agent. \u201cFrom those conversations, law enforcement agents in this case learned that the stolen data and passwords that were stored in several victims\u2019 online password manager accounts were used to illegally, and without authorization, access the victims\u2019 electronic accounts and steal information, cryptocurrency, and other data.\u201d<\/p>\n The document continues:<\/p>\n \u201cBased on this investigation, law enforcement had probable cause to believe the same attackers behind the above-described commercial online password manager attack used a stolen password held in Victim 1\u2019s online password manager account and, without authorization, accessed his cryptocurrency wallet\/account.\u201d<\/p>\n Working with dozens of victims, security researchers Nick Bax<\/strong> and Taylor Monahan<\/strong> found that none of the six-figure cyberheist victims appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto theft, such as the compromise of one\u2019s email and\/or mobile phone accounts, or SIM-swapping attacks.<\/p>\n They discovered the victims all had something else in common: Each had at one point stored their cryptocurrency seed phrase \u2014 the secret code that lets anyone gain access to your cryptocurrency holdings \u2014 in the \u201cSecure Notes\u201d area of their LastPass account prior to the 2022 breaches at the company.<\/p>\n Bax and Monahan found another common theme with these robberies: They all followed a similar pattern of cashing out, rapidly moving stolen funds to a dizzying number of drop accounts scattered across various cryptocurrency exchanges.<\/p>\n According to the government, a similar level of complexity was present in the $150 million heist against the Ripple co-founder last year.<\/p>\n \u201cThe scale of a theft and rapid dissipation of funds would have required the efforts of multiple malicious actors, and was consistent with the online password manager breaches and attack on other victims whose cryptocurrency was stolen,\u201d the government wrote. \u201cFor these reasons, law enforcement agents believe the cryptocurrency stolen from Victim 1 was committed by the same attackers who conducted the attack on the online password manager, and cryptocurrency thefts from other similarly situated victims.\u201d<\/p>\n Reached for comment, LastPass said it has seen no definitive proof \u2014 from federal investigators or others \u2014 that the cyberheists in question were linked to the LastPass breaches.<\/p>\n \u201cSince we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,\u201d LastPass said in a written statement. \u201cTo date, our law enforcement partners have not made us aware of any conclusive evidence that connects any crypto thefts to our incident. In the meantime, we have been investing heavily in enhancing our security measures and will continue to do so.\u201d<\/span><\/p>\n On August 25, 2022,\u00a0LastPass CEO Karim Toubba<\/strong> told users the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.<\/p>\n But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.<\/p>\n Experts say the breach would have given thieves \u201coffline\u201d access to encrypted password vaults, theoretically allowing them all the time in the world to try to crack some of the weaker master passwords using powerful systems that can attempt millions of password guesses per second.<\/p>\n Researchers found that many of the cyberheist victims had chosen master passwords with relatively low complexity, and were among LastPass\u2019s oldest customers. That\u2019s because legacy LastPass users were more likely to have master passwords that were protected with far fewer \u201citerations,\u201d which refers to the number of times your password is run through the company\u2019s encryption routines. In general, the more iterations, the longer it takes an offline attacker to crack your master password.<\/p>\n Over the years, LastPass forced new users to pick longer and more complex master passwords, and they increased the number of iterations on multiple occasions by several orders of magnitude. But researchers found strong indications that LastPass never succeeded in upgrading many of its older customers to the newer password requirements and protections.<\/p>\n Asked about LastPass\u2019s continuing denials, Bax said that after the initial warning in our 2023 story, he naively hoped people would migrate their funds to new cryptocurrency wallets.<\/p>\n \u201cWhile some did, the continued thefts underscore how much more needs to be done,\u201d Bax told KrebsOnSecurity. \u201cIt\u2019s validating to see the Secret Service and FBI corroborate our findings, but I\u2019d much rather see fewer of these hacks in the first place. ZachXBT and SEAL 911\u00a0reported yet another wave of thefts<\/a> as recently as December, showing the threat is still very real.\u201d<\/p>\n Monahan said\u00a0LastPass still hasn\u2019t alerted their customers that their secrets\u2014especially those stored in \u201cSecure Notes\u201d\u2014may be at risk.<\/p>\n \u201cIts been two and a half years since LastPass was first breached [and] hundreds of millions of dollars has been stolen from individuals and companies around the globe,\u201d Monahan said. \u201cThey could have encouraged users to rotate their credentials. They could\u2019ve prevented millions and millions of dollars from being stolen by these threat actors. But\u00a0 instead they chose to deny that their customers were are risk and blame the victims instead.\u201d<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2015\/06\/lastpass-580x132.png?resize=580%2C132&ssl=1\")
<\/p>\n