U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
Despite the threat actors’ efforts, law enforcement agents traced $23,604,815.09 of the stolen digital assets between June 2024 and February 2025 to the following cryptocurrency exchanges: OKX, Payward Interactive, Inc. (dba Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (dba FixedFloat), SwapSpace LLC, and Rabbit Finance LLC (dba CoinRabbit).
A forfeiture complaint unsealed by the U.S. Justice Department yesterday and first spotted by crypto fraud investigator ZachXBT reveals that U.S. Secret Service agents who interviewed the victim believe the attackers could have only stolen the cryptocurrency using private keys extracted by cracking the victim’s password vault stolen in a 2022 breach of an online password manager.
They found that the stolen data and passwords stored in several victims’ password manager accounts were used by attackers to access “their electronic accounts and steal information, cryptocurrency, and other data.”
They also discovered no evidence that the victim’s devices were hacked, which points to the decryption of the stolen online password manager data as the only way the attackers could have obtained the keys needed to compromise the victim’s crypto wallet.
“The scale of a theft and rapid dissipation of funds would have required the efforts of multiple malicious actors, and was consistent with the online password manager breaches and attack on other victims whose cryptocurrency was stolen,” the complaint reads.
“For these reasons, law enforcement agents believe the cryptocurrency stolen from Victim was committed by the same attackers who conducted the attack on the online password manager, and cryptocurrency thefts from other similarly situated victims.”
Crypto theft linked to LastPass hacks
While the investigators didn’t name the online password manager, the complaint says that the platform was hit by “two major data breaches” in August 2022 and November 2022.
This timeline aligns with security breaches disclosed by LastPass three years ago when the company said that attackers stole source code and proprietary technical information, as well as customer vault data, after breaching its cloud storage.
Since then, multiple security experts have shared that they believe the LastPass hackers have cracked some of the stolen vault data and used the extracted private keys and credentials in major cryptocurrency heists.
Even though the investigators didn’t identify the victim, the details match the hack and the theft of $150 million in cryptocurrency from Ripple co-founder and executive chairman Chris Larsen, which was disclosed on January 31, 2024.
ZachXBT first linked the $23 million in cryptocurrency seized this week and the hack of Larsen’s XRP wallet.
“A forfeiture complaint filed yesterday by US law enforcement revealed the cause for the ~$150M (283M XRP) hack of Ripple co-founder, Chris Larsen’s wallet in Jan 2024 was the result of storing private keys in LastPass (password manager which was hacked in 2022),” he said today in a Telegram message.
LastPass and Ripple spokespersons were not immediately available when BleepingComputer reached out for comment earlier today.
