seed-phrase

An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.

Fake Ledger Live apps are malicious wallet impersonation applications distributed through official app stores — including the Microsoft Store and Apple App Store — that harvest cryptocurrency seed phrases to drain victims' wallets. Two major documented incidents have resulted in confirmed losses of at least $10.3 million: approximately $768,000 via the Microsoft Store in November 2023, and approximately $9.5 million via the Apple App Store in April 2026. Parallel macOS malware campaigns distributing trojanized DMG installers have been active since at least August 2024, with four concurrent active campaigns identified by security researchers.