LastPass Hackers Steal $5.36M From Users Days Before Holidays

1 week ago 1875
ARTICLE AD BOX

The festive season is back and it’s back with scammers. Users of LastPass, a widely used tool for managing digital credentials, suffered a major blow with hackers stealing $5.36 million worth of cryptocurrencies just days before Christmas.

The latest exploit is a continuation of the 2022 LastPass breach.

The incident was first reported by blockchain sleuth ZachXBT on his Telegram channel. The threat actor reportedly drained $5.36 million from approximately 40 LastPass users. These stolen funds were then swapped to Ethere and transferred across many exchanges to obscure the trail.

Hacking The Holidays

According to ZachXBT, the latest theft is a continuation of the 2022 breach, where a threat actor compromised a LastPass software engineer’s laptop and gained access to source code and proprietary technical documentation.

LastPass confirmed in late 2022 that the attacker successfully copied customer vault data during the breach, including encrypted passwords and other critical information. While the data was encrypted, the hackers have been working to decrypt it over time.

Since the 2022 breach, there have been over 150 reported cryptocurrency thefts, totaling more than $35 million in losses. Victims were mainly those who had stored their cryptocurrency seed phrases with LastPass. The new exploit brings the total estimated crypto losses to around $45 million.

Security Alliance (SEAL) also issued a warning to anyone who used LastPast before 2023, especially if they stored information related to cryptocurrency. The white hat hacker team said that they had identified over 15 cases of potential LastPast-linked hacks on Monday.

With hackers actively exploiting the LastPass breach, users who stored private keys or seed phrases must immediately move their assets to a new, secure wallet. Those using smart contracts or multi-signature wallets should also reconfigure them with new addresses that are not associated with LastPass.

The holiday season has become a chance for scammers to actively target cryptocurrency users due to increased online activity, as warned by blockchain security firm Cyvers Alerts.

As people are preoccupied with holiday preparations, they may become less vigilant and more susceptible to hack attempts, leading to potential financial losses.

Cyvers advises users to verify communications, enable two-factor authentication, and avoid public Wi-Fi for sensitive transactions. Awareness of holiday-themed phishing tactics is a must for safeguarding assets.

ADA Exploit

Social media account takeovers targeting prominent brands and figures are also on the rise.

On December 8, the Cardano Foundation’s official X account was compromised. The hackers used the account to promote a fake token called ADAsol and spread false claims about an alleged lawsuit from the U.S.Securities and Exchange Commission (SEC).

The attackers falsely asserted that the foundation would cease support for its native ADA token due to the claimed lawsuit.

The fraudulent posts led to a trading volume of approximately $500,000 for the scam token before its value plummeted by 99% once the scam was exposed. The Cardano community quickly alerted others about the breach, stressing that there was no SEC lawsuit.

Charles Hoskinson, the founder of Cardano, publicly acknowledged the hack and reassured users about the integrity of their systems. The Cardano Foundation has since regained control of its account and is conducting a thorough investigation to prevent future incidents.

Just days later, on December 14, Canadian rapper Drake’s official X account was hacked, with attackers promoting a fraudulent Solana-based meme coin named Anita. This coin was falsely claimed to be launched in partnership with Stake, a gambling platform with which Drake has a longstanding relationship.

The hackers used Drake’s upcoming Anita Max Wynn Tour to lend credibility to their scheme, falsely claiming that the token was associated with it.

The posts included a contract address for the token and featured promotional graphics before being swiftly removed. The fraudulent promotion generated about $5 million in trading volume before traders recognized it as a scam and halted purchases.

Read Entire Article