In September 2023, KrebsOnSecurity printed findings from safety researchers who concluded {that a} sequence of six-figure cyberheists throughout dozens of victims resulted from thieves cracking grasp passwords stolen from the password supervisor service LastPass in 2022. In a court docket submitting this week, U.S. federal brokers investigating a spectacular $150 million cryptocurrency heist mentioned they’d reached the identical conclusion.
On March 6, federal prosecutors in northern California mentioned they seized roughly $24 million value of cryptocurrencies that have been clawed again following a $150 million cyberheist on Jan. 30, 2024. The criticism refers back to the particular person robbed solely as “Victim-1,” however based on blockchain safety researcher ZachXBT the theft was perpetrated in opposition to Chris Larsen, the co-founder of the cryptocurrency platform Ripple.
ZachXBT was the first to report on the heist, of which roughly $24 million was frozen by the feds earlier than it may very well be withdrawn. This week’s motion by the federal government merely permits investigators to formally seize the frozen funds.
But there is a crucial conclusion on this seizure doc: It principally says the U.S. Secret Service and the FBI agree with the findings of the LastPass breach story printed right here in September 2023. That piece quoted safety researchers who mentioned they have been witnessing six-figure crypto heists a number of occasions every month that they believed all gave the impression to be the results of crooks cracking grasp passwords for the password vaults stolen from LastPass in 2022.
“The Federal Bureau of Investigation has been investigating these data breaches, and law enforcement agents investigating the instant case have spoken with FBI agents about their investigation,” reads the seizure criticism, which was written by a U.S. Secret Service agent. “From those conversations, law enforcement agents in this case learned that the stolen data and passwords that were stored in several victims’ online password manager accounts were used to illegally, and without authorization, access the victims’ electronic accounts and steal information, cryptocurrency, and other data.”
The doc continues:
“Based on this investigation, law enforcement had probable cause to believe the same attackers behind the above-described commercial online password manager attack used a stolen password held in Victim 1’s online password manager account and, without authorization, accessed his cryptocurrency wallet/account.”
Working with dozens of victims, safety researchers Nick Bax and Taylor Monahan discovered that not one of the six-figure cyberheist victims appeared to have suffered the kinds of assaults that sometimes preface a high-dollar crypto theft, such because the compromise of 1’s e mail and/or cell phone accounts, or SIM-swapping assaults.
They found the victims all had one thing else in widespread: Each had at one level saved their cryptocurrency seed phrase — the key code that lets anybody acquire entry to your cryptocurrency holdings — within the “Secure Notes” space of their LastPass account previous to the 2022 breaches on the firm.
Bax and Monahan discovered one other widespread theme with these robberies: They all adopted an identical sample of cashing out, quickly shifting stolen funds to a dizzying variety of drop accounts scattered throughout numerous cryptocurrency exchanges.
According to the federal government, an identical degree of complexity was current within the $150 million heist in opposition to the Ripple co-founder final 12 months.
“The scale of a theft and rapid dissipation of funds would have required the efforts of multiple malicious actors, and was consistent with the online password manager breaches and attack on other victims whose cryptocurrency was stolen,” the federal government wrote. “For these reasons, law enforcement agents believe the cryptocurrency stolen from Victim 1 was committed by the same attackers who conducted the attack on the online password manager, and cryptocurrency thefts from other similarly situated victims.”
Reached for remark, LastPass mentioned it has seen no definitive proof — from federal investigators or others — that the cyberheists in query have been linked to the LastPass breaches.
“Since we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,” LastPass mentioned in a written assertion. “To date, our law enforcement partners have not made us aware of any conclusive evidence that connects any crypto thefts to our incident. In the meantime, we have been investing heavily in enhancing our security measures and will continue to do so.”
On August 25, 2022, LastPass CEO Karim Toubba instructed customers the corporate had detected uncommon exercise in its software program improvement setting, and that the intruders stole some supply code and proprietary LastPass technical data. On Sept. 15, 2022, LastPass mentioned an investigation into the August breach decided the attacker didn’t entry any buyer information or password vaults.
But on Nov. 30, 2022, LastPass notified prospects about one other, much more severe safety incident that the corporate mentioned leveraged information stolen within the August breach. LastPass disclosed that felony hackers had compromised encrypted copies of some password vaults, in addition to different private data.
Experts say the breach would have given thieves “offline” entry to encrypted password vaults, theoretically permitting them on a regular basis on the planet to attempt to crack a number of the weaker grasp passwords utilizing highly effective methods that may try hundreds of thousands of password guesses per second.
Researchers discovered that most of the cyberheist victims had chosen grasp passwords with comparatively low complexity, and have been amongst LastPass’s oldest prospects. That’s as a result of legacy LastPass customers have been extra more likely to have grasp passwords that have been protected with far fewer “iterations,” which refers back to the variety of occasions your password is run via the corporate’s encryption routines. In normal, the extra iterations, the longer it takes an offline attacker to crack your grasp password.
Over the years, LastPass pressured new customers to choose longer and extra complicated grasp passwords, they usually elevated the variety of iterations on a number of events by a number of orders of magnitude. But researchers discovered robust indications that LastPass by no means succeeded in upgrading a lot of its older prospects to the newer password necessities and protections.
Asked about LastPass’s persevering with denials, Bax mentioned that after the preliminary warning in our 2023 story, he naively hoped folks would migrate their funds to new cryptocurrency wallets.
“While some did, the continued thefts underscore how much more needs to be done,” Bax instructed KrebsOnSecurity. “It’s validating to see the Secret Service and FBI corroborate our findings, but I’d much rather see fewer of these hacks in the first place. ZachXBT and SEAL 911 reported yet another wave of thefts as recently as December, showing the threat is still very real.”
Monahan mentioned LastPass nonetheless hasn’t alerted their prospects that their secrets and techniques—particularly these saved in “Secure Notes”—could also be in danger.
“Its been two and a half years since LastPass was first breached [and] hundreds of millions of dollars has been stolen from individuals and companies around the globe,” Monahan mentioned. “They could have encouraged users to rotate their credentials. They could’ve prevented millions and millions of dollars from being stolen by these threat actors. But instead they chose to deny that their customers were are risk and blame the victims instead.”