Skip to main content
Sign in
LastPass threat actor1 decision on this page

Audit log

Every state-changing event for LastPass threat actor: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-16 03:51:56Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 420,041,811
    sig
    3NaYSHXE8qgG…YRMHhCrdexplorer ↗
    hash
    EvjMTe79Bm7c…1AHwy6Axsha256 → base58
    verifying row…full verify ↗
    canonical bytes (6163 B) ▸
    {"actor":"system:backfill","investigation_id":"19984e08-4ddb-4ba5-9fc2-fd9b52490dbe","kind":"publish","page_slug":"lastpass-threat-actor","published_at":"2026-05-16T03:51:56.399Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"LastPass threat actor","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.","timeline":[{"date":"2022-08-08","event":"Threat actor compromises LastPass developer laptop, exfiltrating 14 source code repositories, technical documentation, and an encrypted AWS S3 key.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2022-08-12","event":"Second intrusion begins: threat actor exploits unpatched Plex CVE-2020-5741 on DevOps engineer's home computer, installing keylogger malware to capture master password and gain access to corporate vault.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/"},{"date":"2022-10-26","event":"LastPass detects and terminates threat actor's persistent cloud storage access, which had lasted approximately 75 days.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/"},{"date":"2022-12-22","event":"LastPass publicly discloses that encrypted customer password vaults and associated metadata were stolen in the August–November breach.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2023-03-01","event":"Taylor Monahan (MetaMask) begins tracking unusual cryptocurrency theft pattern affecting crypto-native individuals, later linked to LastPass.","source":"","source_url":"https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/"},{"date":"2023-08-28","event":"Taylor Monahan concludes that nearly all theft victims had stored cryptocurrency seed phrases in LastPass, publicly linking the theft campaign to the 2022 breach.","source":"","source_url":"https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/"},{"date":"2023-10-25","event":"Approximately $4.4 million drained from 25+ victim addresses in a single day, reported by ZachXBT.","source":"","source_url":"https://cointelegraph.com/news/lastpass-breach-hacker-steals-millions-crypto-wallets-zachxbt"},{"date":"2024-01-30","event":"$150 million in XRP stolen from personal cryptocurrency accounts of Ripple co-founder Chris Larsen, later attributed to LastPass breach.","source":"","source_url":"https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/"},{"date":"2024-02-01","event":"Over $6.2 million stolen from additional LastPass users in a new theft wave, tracked by ZachXBT.","source":"","source_url":"https://cryptoslate.com/hackers-steal-6-2-million-in-digital-assets-from-lastpass-users-investigators-track-stolen-funds/"},{"date":"2024-05-01","event":"Estimated total crypto losses linked to LastPass breach exceed $250 million, per researcher Taylor Monahan.","source":"","source_url":"https://cryptoslate.com/lastpass-linked-crypto-theft-climbs-to-over-250-million-after-latest-5-4-million-hit/"},{"date":"2024-09-26","event":"OFAC sanctions Cryptex, the Russia-based exchange used as an off-ramp for LastPass-linked stolen funds.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"},{"date":"2024-12-18","event":"ZachXBT reports $5.36 million drained from over 40 victim addresses, with funds swapped to ETH and converted to Bitcoin via instant exchange services.","source":"","source_url":"https://www.theblock.co/post/331118/lastpass-threat-actor-drains-5-4-million-in-crypto-from-over-40-victim-addresses-zachxbt"},{"date":"2025-03-06","event":"Federal prosecutors in Northern California seize $23,604,815 in cryptocurrency via civil forfeiture complaint, explicitly linking the Larsen theft to the 2022 LastPass breach.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach/"},{"date":"2025-11-20","event":"UK Information Commissioner's Office issues £1,228,283 penalty to LastPass UK Limited for GDPR violations stemming from the 2022 breach.","source":"","source_url":"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/"},{"date":"2025-12-01","event":"TRM Labs publishes report tracing over $35 million through Wasabi Wallet laundering pipeline, with on-chain indicators suggesting Russian cybercriminal involvement. Theft activity traced as recently as October 2025.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 324b5462-3c02-4a62-ba31-507288a23143
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.