Blockchain investigation firm TRM Labs has linked the ongoing cryptocurrency thefts to the LastPass breach that occurred in 2022. According to reports, the attackers have been draining wallets years after encrypted vaults were stolen and laundering the digital assets through Russian exchanges. In 2022, LastPass confirmed that attackers had breached its systems by compromising a developer environment. The platform added that the criminals stole portions of the company’s source code and proprietary technical information. In another related incident, the hackers used the stolen credentials to breach the GoTo cloud storage firm, stealing LastPass database backups stored on the platform. For some users, the vault contained both stored credentials and cryptocurrency wallet private keys and seed phrases. Cryptocurrency theft attacks linked to LastPass breach During the breach, LastPass claimed that its vaults were encrypted. However, users with weak or reused master passwords were vulnerable to offline cracking, which TRM Labs believes has been ongoing since the breach occurred. “Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password,” warned LastPass when they disclosed the breach. The link between the LastPass breaches and the cryptocurrency thefts was also confirmed by the United States Secret Service last year after the agency seized more than $23 million in crypto and said the attackers had obtained the private keys of their victims by decrypting vault data stolen in a password manager breach. Court filings also mentioned that there was no evidence that the victims’ devices had been compromised through malware or phishing. In its report, TRM Labs connected the ongoing crypto theft to the abuse of the encrypted LastPass vaults stolen in 2022. Rather than the hackers moving swiftly to drain the entire wallets after the breach, the thefts have been carried out in waves, months or years after the incident occurred. It also shows that attackers have been gradually decrypting vaults and extracting stored credentials. In addition, the wallets were drained using similar transaction methods. TRM Labs also mentioned that the method used during the breach showed that the hackers possessed the private keys before the thefts. “The linkage in the report is not based on direct attribution to individual LastPass accounts, but on correlating downstream on-chain activity with the known impact pattern of the 2022 breach,” TRM said. The platform noted that it created a scenario in which the wallet occurs in the future, rather than immediately after the breach happened. TRM Labs highlights the use of Wasabi’s CoinJoin feature The platform also mentioned that its research was initially based on a small number of reports, including several submissions made to Chainabuse, where users identified the LastPass breach as the method the hackers used to steal their wallets. The researchers increased their investigation, identifying cryptocurrency transaction behavior across other cases, eventually linking it to the data theft campaign. TRM also added that it was able to trace funds even after the attackers mixed them using Wasabi wallet’s CoinJoin feature. CoinJoin is a Bitcoin privacy technique that includes all transactions from multiple users into a single transaction, making it harder to determine which input corresponds to which output. The feature obfuscates transactions without using a traditional mixing service. After draining wallets , the hackers usually convert stolen assets to Bitcoin, route them through Wasabi Wallet, and attempt to hide their tracks using the feature. However, TRM mentioned that it was able to demix the Bitcoin sent using the CoinJoin feature by analyzing behavioral characteristics, such as transaction structure, timing, and wallet configuration choices. It was also able to match deposits with withdrawal patterns that matched the crypto theft. Get $50 free to trade crypto when you sign up to Bybit now
