Feds Seize $23 Million in Crypto Stolen Using Keys from LastPass Breaches
U.S. authorities have made a significant move to recover stolen cryptocurrency, seizing $23 million in crypto linked to a $150 million Ripple wallet theft. Experts believe that this incident is connected to the 2022 LastPass breach.
The seizure aligns with prior findings that cybercriminals used master passwords from LastPass to carry out major heists. The government's latest action officially secures the recovered funds, bringing closure to the victims of this devastating attack.
The Ripple Connection
Authorities believe that @Ripple was hacked for approximately $213 million worth of XRP ($112.5 million). The stolen funds were laundered through multiple cryptocurrency exchanges, including MEXC, Gate, Binance, Kraken, OKX, HTX, HitBTC, and others.
Security researcher ZachXBT identified Chris Larsen, co-founder of Ripple, as the victim in this case. The Ripple attribution for the rJNLz3A account was tagged in XRPScan and Bithomp as the entity Ripple.
The Investigation
Law enforcement traced $23,604,815.09 of stolen crypto between June 2024 and February 2025 to multiple exchanges. According to the complaint for forfeiture unsealed by the U.S. DoJ, threat actors may have used private keys extracted by cracking the victim's password vault stolen from the 2022 security breach suffered by an online password manager.
The FBI has been investigating these data breaches, and law enforcement agents investigating this case have spoken with FBI agents about their investigation. Investigators found no evidence of device hacking, supporting the hypothesis that attackers decrypted stolen password manager data to access the victim's crypto wallet.
Expert Analysis
Security researchers Nick Bax and Taylor Monahan found that none of the six-figure cyberheist victims appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto theft, such as the compromise of one's email and/or mobile phone accounts, or SIM-swapping attacks.
They discovered that all the victims had stored their cryptocurrency seed phrase — the secret code that lets anyone gain access to their cryptocurrency holdings — in the "Secure Notes" area of their LastPass account prior to the 2022 breaches at the company.
LastPass's Response
LastPass's statement highlights that they are not aware of any conclusive evidence that connects any crypto thefts to their incident. They acknowledge, however, that they have been working with law enforcement and investing heavily in enhancing their security measures.
"In the meantime, we will continue to do so," reads the statement. "We have been transparent about the incident since our initial disclosure back in 2022 and will cooperate fully with any future investigations."
Criticism of LastPass
Security researcher Taylor Monahan criticized LastPass for not warning users that stored secrets, especially in "Secure Notes," may be at risk. She blamed their inaction for massive financial losses.
Conclusion
The seizure of $23 million in crypto by U.S. authorities marks a significant step forward in recovering stolen funds linked to the 2022 LastPass breach. While LastPass has taken steps to enhance their security measures, critics argue that more needs to be done to prevent similar attacks in the future.