ripple

An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.

Chris Larsen is the co-founder and Executive Chairman of Ripple, one of the most prominent figures in the XRP ecosystem. On January 30, 2024, attackers drained an estimated 213–283 million XRP (valued at $112.5–$150 million) from his personal cryptocurrency accounts — not Ripple corporate wallets — in what became the largest individual crypto theft of 2024. A U.S. government forfeiture complaint filed in March 2025 linked the breach to the 2022 LastPass password manager hack, alleging that private keys had been stored in an online vault subsequently compromised by attackers.

LastPass is a widely used password manager that suffered a catastrophic two-stage data breach in 2022, resulting in the theft of encrypted customer password vaults containing cryptocurrency seed phrases and private keys. Threat actors subsequently cracked these vaults offline over the following years, draining crypto wallets in waves totaling more than $438 million across hundreds of victims by late 2025. The breach has led to a £1.2 million UK ICO regulatory fine, a $24.45 million US class action settlement, US federal seizures, and on-chain attribution by TRM Labs and blockchain researcher ZachXBT to Russian cybercriminal infrastructure.