Your keys, their coins.
Since December of last year, a slow-burn wallet draining campaign has affected hundreds of individual addresses.
No phishing necessary, this time.
Although the attack has been ongoing for nealy a year, last week saw $4.4M stolen in a single day, bringing total losses to at least $37M.
The thefts appear to be linked to seed phrases stored in LastPass, which was hacked last year.
Who do you trust with your seed phrase, anon?
The loss of funds is believed to be down to security breaches at LastPass last year. An initial, direct hack in August led to a breach of a third-party cloud storage provider, in November.
While the original August statement reassured users:
we have seen no evidence that this incident involved any access to customer data or encrypted password vaults
The December update revealed that:
The threat actor was also able to copy a backup of customer vault data
And contained an onminous warning:
The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.
However, victims apparently had very secure LastPass master passwords which, according to Tayvano, either means that:
someone has compromised hundreds of users' vaults one-by-one via a still undetected method or…
LastPass has still not shared some critical details about their security posture and the stuff that was compromised by the attackers.
The attackers appear not to be interested in small fry, with the smallest loss being “well over $10k”.
employees of reputable crypto orgs, VCs, people who build defi protocols, deploy contracts, run full nodes, and have ENS names
Aside from targeting LastPass users, the attacks appear to share certain characteristics, which include:
Primary theft txns are almost always between 10am–4pm UTC.
Except when stealing v large amounts, the attacker will swap your tokens for ETH inside your wallet before sending the ETH out.
The attacker will often miss staked positions, NFTs, or lesser known tokens. Successful rescue missions are COMMON.
Funds are eventually sent to a CEX such as “FixedFloat, SimpleSwap, SideShift, ChangeNOW, LetsExchange”.
The hackers also seem to favour the weekends.
Over $37M stolen and still working a day job?
While initial comms from LastPass in August 2022 made it seem that there was no reason to worry, any user who then let their guard down may later have become a victim.
Though there may be good reason to be guarded with info sharing, the safest option for users is always to rotate assets to a fresh seed phrase if in any doubt.
Improved UX is not worth trusting sensitive info to 3rd parties.
When did you last change your seed?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
OG decentralised exchange KyberSwap got rekt across six chains, for a total loss of over $48M. Perhaps there’s some good news in store for KyberSwap and LPs, or is the attacker just toying with us?
It's been a rough few weeks for Justin Sun. Today, another $99M went missing as HECO Bridge and HTX (again) were hacked in short succession. His Excellency makes sure to never stay out of the spotlight for long…
Deja-vu, anyone? Market maker Kronos Research lost $26M over the weekend, leading to liquidity issues on closely-associated CEX Woo X. Where have we heard that before?