Verify a decision

{"actor":"system:backfill","investigation_id":"19984e08-4ddb-4ba5-9fc2-fd9b52490dbe","kind":"publish","page_slug":"lastpass-threat-actor","published_at":"2026-05-16T03:51:56.399Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"LastPass threat actor","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"An unidentified threat actor or group breached LastPass in August–November 2022, exfiltrating encrypted customer password vaults containing cryptocurrency seed phrases and private keys stored by an estimated 25–30 million users. Beginning in late 2022 and continuing at least through late 2025, the actors allegedly cracked weak master passwords offline and drained cryptocurrency wallets in coordinated waves, with documented losses exceeding $250 million across hundreds of victims and a single high-profile $150 million XRP theft attributed to Ripple co-founder Chris Larsen. TRM Labs on-chain analysis and law enforcement investigations link the laundering activity to Russian cybercriminal infrastructure, including OFAC-sanctioned exchange Cryptex.","timeline":[{"date":"2022-08-08","event":"Threat actor compromises LastPass developer laptop, exfiltrating 14 source code repositories, technical documentation, and an encrypted AWS S3 key.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2022-08-12","event":"Second intrusion begins: threat actor exploits unpatched Plex CVE-2020-5741 on DevOps engineer's home computer, installing keylogger malware to capture master password and gain access to corporate vault.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/"},{"date":"2022-10-26","event":"LastPass detects and terminates threat actor's persistent cloud storage access, which had lasted approximately 75 days.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/lastpass-devops-engineer-hacked-to-steal-password-vault-data-in-2022-breach/"},{"date":"2022-12-22","event":"LastPass publicly discloses that encrypted customer password vaults and associated metadata were stolen in the August–November breach.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2023-03-01","event":"Taylor Monahan (MetaMask) begins tracking unusual cryptocurrency theft pattern affecting crypto-native individuals, later linked to LastPass.","source":"","source_url":"https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/"},{"date":"2023-08-28","event":"Taylor Monahan concludes that nearly all theft victims had stored cryptocurrency seed phrases in LastPass, publicly linking the theft campaign to the 2022 breach.","source":"","source_url":"https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/"},{"date":"2023-10-25","event":"Approximately $4.4 million drained from 25+ victim addresses in a single day, reported by ZachXBT.","source":"","source_url":"https://cointelegraph.com/news/lastpass-breach-hacker-steals-millions-crypto-wallets-zachxbt"},{"date":"2024-01-30","event":"$150 million in XRP stolen from personal cryptocurrency accounts of Ripple co-founder Chris Larsen, later attributed to LastPass breach.","source":"","source_url":"https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/"},{"date":"2024-02-01","event":"Over $6.2 million stolen from additional LastPass users in a new theft wave, tracked by ZachXBT.","source":"","source_url":"https://cryptoslate.com/hackers-steal-6-2-million-in-digital-assets-from-lastpass-users-investigators-track-stolen-funds/"},{"date":"2024-05-01","event":"Estimated total crypto losses linked to LastPass breach exceed $250 million, per researcher Taylor Monahan.","source":"","source_url":"https://cryptoslate.com/lastpass-linked-crypto-theft-climbs-to-over-250-million-after-latest-5-4-million-hit/"},{"date":"2024-09-26","event":"OFAC sanctions Cryptex, the Russia-based exchange used as an off-ramp for LastPass-linked stolen funds.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"},{"date":"2024-12-18","event":"ZachXBT reports $5.36 million drained from over 40 victim addresses, with funds swapped to ETH and converted to Bitcoin via instant exchange services.","source":"","source_url":"https://www.theblock.co/post/331118/lastpass-threat-actor-drains-5-4-million-in-crypto-from-over-40-victim-addresses-zachxbt"},{"date":"2025-03-06","event":"Federal prosecutors in Northern California seize $23,604,815 in cryptocurrency via civil forfeiture complaint, explicitly linking the Larsen theft to the 2022 LastPass breach.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach/"},{"date":"2025-11-20","event":"UK Information Commissioner's Office issues £1,228,283 penalty to LastPass UK Limited for GDPR violations stemming from the 2022 breach.","source":"","source_url":"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/"},{"date":"2025-12-01","event":"TRM Labs publishes report tracing over $35 million through Wasabi Wallet laundering pipeline, with on-chain indicators suggesting Russian cybercriminal involvement. Theft activity traced as recently as October 2025.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"}]},"v":1}