Feds Link $150M Cyberheist To 2022 LastPass Hacks

AmiMoJo writes: In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing last week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.

On March 6, federal prosecutors in northern California said they seized approximately $24 million worth of cryptocurrencies that were clawed back following a $150 million cyberheist on Jan. 30, 2024. The complaint refers to the person robbed only as 'Victim-1,' but according to blockchain security researcher ZachXBT the theft was perpetrated against Chris Larsen, the co-founder of the cryptocurrency platform Ripple.

ZachXBT was the first to report on the heist, of which approximately $24 million was frozen by the feds before it could be withdrawn. This week's action by the government merely allows investigators to officially seize the frozen funds. But there is an important conclusion in this seizure document: It basically says the U.S. Secret Service and the FBI agree with the findings of the LastPass breach story published here in September 2023.

BRIAN ROCKS

[gavron]

So KrebsOnSecurity rocks. Brian knows his stuff 100%. He's not a Russian troll.

I'm "curious"how "the feds" "froze" crypto. It's missing from this /. summary.

Can anyone explain how "the feds" "froze" crypto? and of course ihow that proves crypto is decentraliced.

Re:

[mysidia]

I'm "curious"how "the feds" "froze" crypto. It's missing from this /. summary.

If money was deposited to an account on a crypto exchange, and the Exchange finds it suspicious or the government orders them, then transfers out of that account will be frozen.

Similarly the feds can identify certain wallet addresses to all the crypto exchanges to have Any funds deposited from those addresses immediately placed on hold - when they try to deposit crypto to an exchange account in order to sell it: The deposit wil

Re:

[gweihir]

"Frozen" crapto typically means one of two things:
1) The crapto was with an exchange and the exchange froze it on request because they are afraid of the feds. That works because the crapto is in a wallet controlled by the exchange at that time.
2) (A "soft freeze") The feds let it be known that they know where the crapto is and that they would take it very much amiss if any exchange were to be willing to touch that crapto. That works because it becomes very difficult to move that crapto.

In both cases, it is

Re:

[bill_mcgonigle]

Not your keys, not your coins.

Exchanges are like having a demand-deposit account at a bank.

Re:

[ctilsie242]

Worse... banks don't get bankrupted if someone swipes their master key, and if they did get bankrupted, stuff is insured.

This is where people need to learn the difference between custodial and non-custodial wallets.

Re:

[AmiMoJo]

Presumably they just contacted the exchanges that convert crypto to real money and told them not to cash out that particular wallet.

Maybe secure passwords better in this case?

[gweihir]

When protecting a lot? I mean TOTP keychain or card is something like $25 and a hardware password manager with USB that pretends to be a keyboard is below $100. Both are not easy to attack.

Re:

[ctilsie242]

Maybe take it a step further and have fairly rigorous protection? Trezor and Ledger are proven wallets, but make sure you have a process beforehand [1]. Don't forget to have some "steel wallets" for the BIP-39 recovery code first, and make sure to have some place for those that isn't slapped over social media [2].

Trezor is nice because it works well enough for GPG and SSH, as well as a FIDO token.

[1]: If I am creating a new wallet, what I do is reset a hardware wallet, generate a BIP-39 key. Then nuke a

Re:

[EightBells]

IMO, passwords are more secure than 2FA and in trusting some cloud server in almost every case, if you're willing to put up with a little bit of inconvenience. All my passwords are random, locally-generated 16 to 32 characters which are unique for every site. They're stored in a locally encrypted file (a Keepass variant) which never leaves my laptop and never needs to access the internet at all. Eliminating or greatly reducing the dependence on external security tools is just good practice.

Re:

[The-Ixian]

All the person had to do was change their passwords after they KNEW that LastPass had been hacked.

To not change your passwords after losing access to your vault is negligent.

Who'd have thunk it

[Bold_Cucumber]

You mean uploading all your passwords to the cloud may not have been the best idea? SHOCKING

Re:Who'd have thunk it

[bill_mcgonigle]

I left LP when someone here pointed out that the metadata (e.g.) site names were stored in cleartext.

I disbelieved the comment and went to debunk it.

I was instead horrified.

If you know the site name you know where to spend your $$$ cracking.

I wonder what the disclosure delay was vs. if he didn't change his important passwords.

Re:

[gweihir]

I disbelieved the comment and went to debunk it.

I was instead horrified.

Well, you did the right thing here, namely not just believing something or not, but trying to verify and actually find out.

Re:

[ctilsie242]

I left LP when LMI bought them out. Having had a bad experience cancelling with LMI, as at the time, they only allowed cancelling over the phone, so when LP was bought out, I pulled my stuff out and moved to BitWarden.

Reading that LastPass didn't encrypt URLs at the time (they say they do now, so I'm going to take them at their word), was something that ensured I'd continue to stay away from them. URLs can be used for authentication, and they offer a ton of insight to attackers, and can reveal points to a

WHAT SHOULD LASTPASS USERS DO?

[oumuamua]

Near the end of the article:
According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.

“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. T