Federal prosecutors in northern California recently announced the seizure of approximately $24 million worth of cryptocurrencies after a $150 million cyberheist that occurred on January 30, 2024. The complaint filed by the prosecutors refers to the victim as “Victim-1,” but cybersecurity expert ZachXBT revealed that the target of the theft was Chris Larsen, the co-founder of Ripple.
ZachXBT was the first to report on the heist and discovered that around $24 million of the stolen funds were frozen by the authorities before they could be withdrawn. This recent action by the government allows investigators to officially seize the frozen assets. The investigation into this cyberheist aligns with a previous report by KrebsOnSecurity, which highlighted a trend of six-figure crypto thefts resulting from thieves cracking master passwords stolen from LastPass in 2022.
According to a U.S. Secret Service agent involved in the case, law enforcement agents confirmed that the stolen data and passwords from LastPass accounts were used to access victims’ cryptocurrency wallets without authorization. This information echoes the findings of security researchers Nick Bax and Taylor Monahan, who collaborated with multiple victims to uncover the common thread in these cyberheists.
Bax and Monahan discovered that the victims had stored their cryptocurrency seed phrases in the “Secure Notes” section of their LastPass accounts before the 2022 breaches. This allowed the attackers to gain access to the victims’ cryptocurrency holdings and quickly transfer the stolen funds to numerous drop accounts on various cryptocurrency exchanges. The level of complexity in these thefts indicates the involvement of multiple malicious actors working in coordination.
The government’s seizure document highlights the sophistication of the $150 million heist against Chris Larsen, linking it to the pattern observed in the LastPass breaches. This reinforces the notion that the cyberheists were carried out by the same group of attackers who exploited vulnerabilities in LastPass’ security measures.
Despite these findings, LastPass has maintained that there is no definitive proof linking the cyberheists to their breaches. The company has emphasized its collaboration with law enforcement to enhance security measures and address any potential vulnerabilities.
In the wake of the breaches at LastPass, CEO Karim Toubba confirmed unauthorized access to source code and technical information in the company’s software development environment. Subsequent investigations revealed that customer data and password vaults remained secure, but a more severe security incident later exposed encrypted copies of password vaults and personal information.
Security experts have pointed out that the legacy users of LastPass, who had weaker master passwords and fewer encryption iterations, were especially vulnerable to attacks. Despite LastPass’ efforts to improve password requirements over the years, many older customers had not updated their security settings.
As researchers continue to uncover the intricacies of these cyberheists, they stress the importance of proactive security measures and regular password updates. The ongoing threat of crypto thefts underscores the need for heightened vigilance and swift action to protect digital assets from malicious actors.