Over the last 10 months, more than 100 seemingly secure crypto wallets—many held by high profile, tech-savvy members of the crypto community—have been drained of tens of millions of dollars' worth of cryptocurrency, without any clear indication how. Now, the answer is becoming clearer: The thefts appear to be due to a hack of LastPass, the password management company.
For months, the seamless and consistently repeated attacks baffled security experts, who couldn’t figure out how to stop the theft. Victims did not appear to be falling for scams, or doing anything online for that matter, that risked exposing their private information.
Besides, it turned out, prioritizing wallet security.
On-chain researchers have since concluded—as the attacks continue to persist monthly—that the hacker in question is likely accessing victims’ funds by using wallet passwords and seed phrases exposed during a hack, last winter, into password manager LastPass.
Since that hack, passwords obtained from the computer security service have reportedly led to the theft of at least $39 million worth of crypto, and counting. Just last week, the hacker made off with another $4.4 million in crypto, in what experts have identified as another attack that traces back to LastPass.
Taylor Monahan, a lead product manager at MetaMask, first promulgated theories about the mystery hacks’ potential origins in April, back when the attacks had only netted about $10 million in stolen crypto. Since then, Monahan and other blockchain analysts have identified LastPass as the apparent common thread connecting victims of the hacks.
In the interim, however, the hacker has continued to drain supposedly secure wallets of millions upon millions of dollars’ worth of crypto.
Monahan, along with other on-chain sleuths like the pseudonymous blockchain analyst ZachXBT, have implored crypto users to immediately migrate their assets if they ever, even for a brief period, used LastPass to store their wallet seed phrases or keys.
As the attacks continue with no end in sight, Monahan has publicly recounted the stories of numerous friends and associates who—upon news of the hacks—considered changing wallets but didn’t move fast enough, only to be targeted by the hacker themselves.
Of particular note in the unfolding controversy are statements made by LastPass regarding the severity of the hack that infiltrated the company’s stores of private user data late last year.
At first, LastPass insisted that the hack did not expose users’ stored passwords, but advised changing those passwords anyway out of an abundance of caution. The company eventually conceded that the hacker was able to access the LastPass corporate vault, which contains ample private user information—but maintained that these breaches still did not necessarily compromise users’ master passwords or other keys.
Analysts who researched the spate of recent crypto heists reportedly tied to the LastPass hack have taken particular issue with the company’s handling of the situation, arguing that it has not been forthright with its users about the extent of damage incurred by the hack, and the degree to which LastPass users should have responded to it.
"Seeing as LastPass knows how long users have used their service, LastPass knows which vaults were weakest [and] LastPass knows when a note or password was last updated," Monahan told Decrypt. "They could encourage people to update these specific credentials or consider rotating any keys they have in a specific 'secure note.'"
"If you want people to take action and protect themselves you have to give them crystal clear information that encourages them to do so," Monahan added. "The attacks will continue until there is nothing of value left."
LastPass did not reply to Decrypt's request for comment.
Edited by Andrew Hayward
Editor's note: This article was updated after publication to add comments from Monahan.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.