In September 2023, KrebsonScurity published the results of security researchers who concluded that a series of six -digit cyberheists through dozens of victims result from thieves who crack the keywords stolen in the service of password manager Pass In 2022. In a legal file this week, the American federal agents investigating a spectacular cryptocurrency brafe of $ 150 million said that they had reached the same conclusion.
On March 6, federal prosecutors in Northern California said they had seized around $ 24 million in cryptocurrencies that had been recovered as a result of a 150 million dollars cyber, January 30, 2024. The complaint refers to the single stolen person Zachxbt The flight was perpetrated against Chris LarsenThe co-founder of the cryptocurrency platform Ripple.
Zachxbt was the First of all to report on robberyOf which around $ 24 million was frozen by the authorities before they could be withdrawn. This week’s action by the government simply allows investigators to officially seize the frozen funds.
But there is an important conclusion in this crisis document: it essentially says the US Secret Services and the FBI Agree with the conclusions of The Lastpass Breach Story published here in September 2023. This piece cited security researchers who said they were assisted by six -digit crypto toilets several times that they all thought they were the result of Crooks cracking master passwords for the stolen password vaults in 2022.
“The Federal Bureau of Investigation has investigated these data violations, and the law enforcement agents investigating the instant case spoke with the FBI agents of their investigation,” said the crises complaint, which was written by an American secret service agent. “Based on these conversations, the law enforcement agents in this case learned that the stolen data and passwords that have been stored in several online password management accounts of several victims were used for illegally and without authorization, access to the electronic accounts of the victims and steal information, cryptocurrency and other data.”
The document continues:
“On the basis of this investigation, the police had a probable cause to believe that the same attackers behind the online commercial attack above used a stolen password in the online password management account of victim 1 and, without authorization, access to its cryptocurrency portfolio / account.”
Work with dozens of victims, security researchers Nick Bax And Taylor Monahan found that none of the six -digit cyberheistic victims seemed to have suffered the types of attacks which generally prefer a high dollar crypto flight, such as the compromise of its messaging and / or mobile phone accounts, or SIM exchange attacks.
They discovered that the victims had all something else in common: each had at one point stored their sentence of cryptocurrency seeds – the secret code which allows anyone to access your cryptocurrency assets – in the “secure notes” area of its Lastpass account before the company’s 2022 violations.
Bax and Monahan found another common theme with these flights: they all followed a similar scheme for renewing stolen funds on the move quickly towards a dizzying number of fall accounts dispersed in various exchanges of cryptocurrency.
According to the government, a similar level of complexity was present in the breakage of $ 150 million against the co-founder of Ripple last year.
“The scale of a flight and rapid dissipation of the funds would have required the efforts of several malicious actors and was in accordance with the violations and attacks of the online password manager against other victims whose cryptocurrency was stolen,” the government wrote. “For these reasons, the police officers believe that the cryptocurrency stolen from victim 1 was committed by the same attackers who led the attack on the online password manager and cryptocurrency flights from other victims located in a similar way.”
Affected to comment, Lastpass said he had not seen any final evidence – federal investigators or others – that the cyberheists in question were linked to the violations of Lastpass.
“Since we initially disclosed this incident in 2022, Lastpass worked in close cooperation with several representatives of the police,” said Lastpass in a statement. “To date, our partners responsible for the application of laws have not made us known any conclusive evidence which links any theft of cryptography to our incident. In the meantime, we have invested a lot in improving our security measures and will continue to do so. »»
August 25, 2022, The CEO of Lastpass Karim Toubba Users said that the company had detected an unusual activity in its software development environment and that intruders have stolen a source code and owner technical information. On September 15, 2022, Lastpass said that an investigation into the August violation determined that the attacker had not accessed any client data or password vaults.
But on November 30, 2022, Lastpass informed customers of another much more serious security incident that the company said that the data used to be stolen during the August violation. Lastpass revealed that criminal hackers had compromised encrypted copies of certain password chests, as well as other personal information.
Experts say that the violation would have given thieves “offline” access to encrypted password vaults, which allows them theoretically all the time in the world to try to break some of the lowest masters passwords using powerful systems that can try millions of password assumptions per second.
The researchers noted that many cyberheistic victims had chosen masters passwords with relatively low complexity and were among the oldest customers in Lastpass. Indeed, Legacy Lastpass users were more likely to have master passwords which were protected with much less “iterations”, which refers to the number of times your password is executed via the company’s encryption routines. In general, the more it is iterations, the more you need an offline attacker to break your master password.
Over the years, Lastpass has forced new users to choose longer and more complex master passwords, and they have increased the number of iterations several times by several orders of magnitude. But the researchers found strong indications that Lastpass has never managed to improve many of its older customers to new requirements and password protections.
Asked about the continuous refusals of Lastpass, Bax said that after the initial warning of our history in 2023, he naively hoped that people would migrate their funds to new cryptocurrency portfolios.
“While some have done so, continuous flights emphasize how much more to do,” Bax told Krebssurity. “It is valid to see the secret services and the FBI corroborate our conclusions, but I prefer to see less of these hacks in the first place. Zachxbt and Seal 911 reported another wave of flights Not more recently than December, showing the threat is still very real. »»
Monahan said Lastpass had still not alerted their customers that their secrets – especially those stored in “secure notes” – can be in danger.
“It’s been two and a half years since Lastpass was raped (and) hundreds of millions of dollars was stolen from individuals and businesses around the world,” said Monahan. “They could have encouraged users to rotate their identification information. They could have prevented millions and millions of dollars from being stolen by these threat actors. But instead of that, they chose to deny that their customers were risks and blame the victims instead. »»
