LastPass threat actor

2022-08-08

Threat actor compromises LastPass developer laptop, exfiltrating 14 source code repositories, technical documentation, and an encrypted AWS S3 key.

2022-08-12

Second intrusion begins: threat actor exploits unpatched Plex CVE-2020-5741 on DevOps engineer's home computer, installing keylogger malware to capture master password and gain access to corporate vault.

2022-10-26

LastPass detects and terminates threat actor's persistent cloud storage access, which had lasted approximately 75 days.

2022-12-22

LastPass publicly discloses that encrypted customer password vaults and associated metadata were stolen in the August–November breach.

2023-03-01

Taylor Monahan (MetaMask) begins tracking unusual cryptocurrency theft pattern affecting crypto-native individuals, later linked to LastPass.

2023-08-28

Taylor Monahan concludes that nearly all theft victims had stored cryptocurrency seed phrases in LastPass, publicly linking the theft campaign to the 2022 breach.

2023-10-25

Approximately $4.4 million drained from 25+ victim addresses in a single day, reported by ZachXBT.

2024-01-30

$150 million in XRP stolen from personal cryptocurrency accounts of Ripple co-founder Chris Larsen, later attributed to LastPass breach.

2024-02-01

Over $6.2 million stolen from additional LastPass users in a new theft wave, tracked by ZachXBT.

2024-05-01

Estimated total crypto losses linked to LastPass breach exceed $250 million, per researcher Taylor Monahan.

2024-09-26

OFAC sanctions Cryptex, the Russia-based exchange used as an off-ramp for LastPass-linked stolen funds.

2024-12-18

ZachXBT reports $5.36 million drained from over 40 victim addresses, with funds swapped to ETH and converted to Bitcoin via instant exchange services.

2025-03-06

Federal prosecutors in Northern California seize $23,604,815 in cryptocurrency via civil forfeiture complaint, explicitly linking the Larsen theft to the 2022 LastPass breach.

2025-11-20

UK Information Commissioner's Office issues £1,228,283 penalty to LastPass UK Limited for GDPR violations stemming from the 2022 breach.

2025-12-01

TRM Labs publishes report tracing over $35 million through Wasabi Wallet laundering pipeline, with on-chain indicators suggesting Russian cybercriminal involvement. Theft activity traced as recently as October 2025.