Verify a decision

{"actor":"system:backfill","investigation_id":"219731db-fb28-45ef-abd7-04ff7031fe90","kind":"publish","page_slug":"lastpass","published_at":"2026-05-16T03:55:57.864Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"LastPass","sections":[{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]},{"content":"","heading":"","severity":"medium","sources":[]}],"sources_used":[],"summary":"LastPass is a widely used password manager that suffered a catastrophic two-stage data breach in 2022, resulting in the theft of encrypted customer password vaults containing cryptocurrency seed phrases and private keys. Threat actors subsequently cracked these vaults offline over the following years, draining crypto wallets in waves totaling more than $438 million across hundreds of victims by late 2025. The breach has led to a £1.2 million UK ICO regulatory fine, a $24.45 million US class action settlement, US federal seizures, and on-chain attribution by TRM Labs and blockchain researcher ZachXBT to Russian cybercriminal infrastructure.","timeline":[{"date":"2022-08-08","event":"First intrusion: attacker compromises LastPass developer's corporate laptop, exfiltrates source code and technical documentation over four days.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/"},{"date":"2022-08-25","event":"LastPass CEO Karim Toubba publicly discloses the August breach, claiming no customer data was accessed.","source":"","source_url":"https://blog.lastpass.com/posts/notice-of-recent-security-incident"},{"date":"2022-09-08","event":"Second intrusion begins: attackers use stolen credentials from a senior DevOps engineer to access AWS S3 cloud storage.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2022-09-22","event":"Second intrusion ends; attackers have exfiltrated a backup of customer vault data including encrypted seed phrases and private keys.","source":"","source_url":"https://en.wikipedia.org/wiki/2022_LastPass_data_breach"},{"date":"2022-11-30","event":"LastPass publicly discloses the full scope of the breach, acknowledging that encrypted customer password vaults were stolen.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/"},{"date":"2023-09-15","event":"KrebsOnSecurity publishes security researcher findings concluding that a series of six-figure crypto heists across dozens of victims resulted from cracked LastPass master passwords.","source":"","source_url":"https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/"},{"date":"2023-10-01","event":"ZachXBT documents approximately $4.4 million stolen from LastPass breach victims in October 2023.","source":"","source_url":"https://www.bankinfosecurity.com/crypto-roundup-lastpass-breach-linked-to-54m-crypto-theft-a-27109"},{"date":"2024-01-30","event":"Ripple co-founder Chris Larsen has approximately 283 million XRP (~$150 million) stolen from wallets whose private keys were stored in LastPass.","source":"","source_url":"https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/"},{"date":"2024-02-01","event":"ZachXBT is first to publicly attribute the Larsen XRP theft to the LastPass breach via Telegram. ZachXBT documents a separate $6.2 million theft wave in February 2024.","source":"","source_url":"https://www.theblock.co/post/345212/ripple-co-founder-chris-larsen-losing-over-100-million-of-xrp-tied-to-lastpass-hack-says-zachxbt"},{"date":"2024-06-01","event":"Law enforcement begins tracing $23.6 million of Larsen's stolen XRP across OKX, Kraken, WhiteBIT, AscendEX, FixedFloat, SwapSpace, and CoinRabbit.","source":"","source_url":"https://www.bleepingcomputer.com/news/security/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach/"},{"date":"2024-12-16","event":"ZachXBT reports $5.4 million stolen from over 40 victim addresses on December 16–17; funds swapped for ETH then converted to Bitcoin via instant exchanges.","source":"","source_url":"https://www.theblock.co/post/331118/lastpass-threat-actor-drains-5-4-million-in-crypto-from-over-40-victim-addresses-zachxbt"},{"date":"2024-12-17","event":"ZachXBT reports a separate theft of $12.38 million from more than 100 wallet addresses (Bitcoin, Ethereum, Avalanche) within hours.","source":"","source_url":"https://bitcoinethereumnews.com/crypto/zachxbt-ties-12-38-million-crypto-drain-to-lastpass-breach-100-victimized-wallets/"},{"date":"2025-03-06","event":"US federal prosecutors in the Northern District of California seize approximately $23–24 million in cryptocurrency linked to the Larsen XRP theft. DOJ forfeiture complaint unsealed confirms LastPass breach as root cause.","source":"","source_url":"https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastpass-hacks/"},{"date":"2025-09-01","event":"TRM Labs identifies a new September 2025 wave of approximately $7 million in additional thefts laundered through Wasabi Wallet to Russian exchange Audi6.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"},{"date":"2025-11-20","event":"UK ICO issues £1.23 million monetary penalty against LastPass UK Ltd for UK GDPR violations arising from the 2022 breach, citing inadequate technical security measures affecting 1.6 million UK users.","source":"","source_url":"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/"},{"date":"2025-12-01","event":"TRM Labs publishes comprehensive on-chain investigation concluding total cryptocurrency losses attributable to the LastPass breach exceed $438 million, with laundering traced to Russian exchanges Cryptex (OFAC-sanctioned) and Audi6 via Wasabi Wallet CoinJoin.","source":"","source_url":"https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement"},{"date":"2026-02-02","event":"US court grants preliminary approval to $24.45 million class action settlement covering LastPass breach victims, with a $16.25 million sub-fund for cryptocurrency loss claims.","source":"","source_url":"https://www.classaction.org/news/8.2m-lastpass-settlement-ends-class-action-lawsuit-over-2022-data-breach"}]},"v":1}