LastPass Users - REKT

Your keys, their coins.

Since December of last year, a slow-burn wallet draining campaign has affected hundreds of individual addresses.

No phishing necessary, this time.

Although the attack has been ongoing for nealy a year, last week saw $4.4M stolen in a single day, bringing total losses to at least $37M.

Similarly to June’s Atomic Wallet hack, which saw over $100M stolen, these incidents have been meticulously traced by ZachXBT and Tayvano over the last months.

The thefts appear to be linked to seed phrases stored in LastPass, which was hacked last year.

Who do you trust with your seed phrase, anon?

Credit: ZachtXBT, Tayvano

The loss of funds is believed to be down to security breaches at LastPass last year. An initial, direct hack in August led to a breach of a third-party cloud storage provider, in November.

While the original August statement reassured users:

we have seen no evidence that this incident involved any access to customer data or encrypted password vaults

The December update revealed that:

The threat actor was also able to copy a backup of customer vault data

And contained an onminous warning:

The threat actor may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.

However, victims apparently had very secure LastPass master passwords which, according to Tayvano, either means that:

someone has compromised hundreds of users' vaults one-by-one via a still undetected method or…

LastPass has still not shared some critical details about their security posture and the stuff that was compromised by the attackers.

Although the known thefts date back as far as mid-December 2022, with the tracing operation well underway by April, the LastPass connnection was only made public in August.

The attackers appear not to be interested in small fry, with the smallest loss being “well over $10k”.

Victims, one of whom even lost funds which had been untouched for almost a decade, apparently include many experienced crypto users:

employees of reputable crypto orgs, VCs, people who build defi protocols, deploy contracts, run full nodes, and have ENS names

Aside from targeting LastPass users, the attacks appear to share certain characteristics, which include:

Primary theft txns are almost always between 10am–4pm UTC.

Except when stealing v large amounts, the attacker will swap your tokens for ETH inside your wallet before sending the ETH out.

The attacker will often miss staked positions, NFTs, or lesser known tokens. Successful rescue missions are COMMON.

Funds are eventually sent to a CEX such as “FixedFloat, SimpleSwap, SideShift, ChangeNOW, LetsExchange”.

The hackers also seem to favour the weekends.

Over $37M stolen and still working a day job?

While initial comms from LastPass in August 2022 made it seem that there was no reason to worry, any user who then let their guard down may later have become a victim.

Though there may be good reason to be guarded with info sharing, the safest option for users is always to rotate assets to a fresh seed phrase if in any doubt.

Improved UX is not worth trusting sensitive info to 3rd parties.

When did you last change your seed?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.