A chilling pattern of cryptocurrency thefts that has been unfolding since December 2022 came into sharp focus in early September 2023 when security researchers confirmed that a breach of the popular password manager LastPass was directly linked to the theft of more than $35 million in cryptocurrency from over 150 victims. The findings, first reported by KrebsOnSecurity and corroborated by MetaMask lead product manager Taylor Monahan, reveal a fundamental vulnerability in how security-conscious cryptocurrency users protect their digital assets.
The Threat Landscape
The LastPass breach, which was initially disclosed in November 2022, involved the theft of encrypted password vaults containing both encrypted and plaintext data for more than 25 million users. While LastPass assured users that vault data was encrypted and therefore safe, the reality proved far more troubling for cryptocurrency holders who had stored their seed phrases within the password manager.
A seed phrase, typically consisting of 12 or 24 words, is the master key to a cryptocurrency wallet. Anyone who possesses this phrase has complete and irreversible access to all funds associated with that wallet. Taylor Monahan, who has been investigating the thefts since late 2022, discovered a highly reliable set of clues connecting the robberies of more than 150 individuals. The victims collectively lost over $35 million worth of cryptocurrency, with roughly two to five high-dollar heists occurring each month since December 2022.
What makes this threat particularly insidious is the profile of the victims. According to Monahan, virtually all of the affected individuals were longtime cryptocurrency investors and security-minded people. Many were employees of reputable crypto organizations, venture capitalists, DeFi protocol developers, smart contract deployers, and full node operators. None appeared to have suffered the typical precursor attacks, such as email or phone compromises, that usually precede high-value crypto thefts.
Core Principles
The core principle violated in this case is straightforward: your seed phrase should never exist in a digital format that is connected to the internet, even within an encrypted container. While storing seed phrases in a password manager has long been considered a reasonable security practice by many cybersecurity enthusiasts, the LastPass breach demonstrates that this approach carries catastrophic risk.
Nick Bax, director of analytics at cryptocurrency wallet recovery company Unciphered, conducted an independent analysis of the theft data and reached the same conclusion as Monahan. He described the investigation as one of the broadest and most complex cryptocurrency investigations he had ever encountered. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, creating a clear link between victims that would not exist if these were independent attacks.
The researchers identified a unique signature connecting all the thefts, including dramatic similarities in how victim funds were stolen and laundered through specific cryptocurrency exchanges. The attackers frequently grouped victims by sending their stolen cryptocurrencies to the same destination wallet, suggesting a single organized operation rather than multiple independent actors.
Tooling and Setup
For cryptocurrency users looking to properly secure their seed phrases, the gold standard remains offline storage. Hardware wallets such as those from Ledger or Trezor generate and store seed phrases entirely within the device’s secure element, never exposing them to the computer or internet. These devices typically cost between $60 and $200 and provide the highest level of security for everyday cryptocurrency users.
For those who must store seed phrases in physical form, the best practice is to write them on durable material, such as metal backup plates, and store them in a secure physical location like a safe or safety deposit box. Paper backups, while common, are vulnerable to fire, water damage, and physical deterioration over time. Several companies now offer specialized metal backup solutions that can withstand extreme conditions.
For users who have previously stored their seed phrases in LastPass or any other cloud-connected service, the immediate recommendation is to transfer all funds from wallets whose seed phrases were ever stored digitally to new wallets with freshly generated seed phrases that have never been exposed to any digital system. With Bitcoin trading around $25,753 and Ethereum at $1,632 in September 2023, even modest holdings could represent significant losses if compromised.
Ongoing Vigilance
The LastPass breach illustrates a broader principle: security is only as strong as its weakest link. As the cryptocurrency ecosystem matures and the value of digital assets continues to grow, attackers are increasingly targeting the infrastructure and services that surround blockchain networks rather than the networks themselves. Password managers, cloud storage services, email providers, and even browser extensions all represent potential vectors for seed phrase theft.
The researchers involved in this investigation have chosen not to publish the specific blockchain signature linking the thefts, as doing so could cause the attackers to alter their methods and become harder to track. However, they have published findings about the laundering techniques used, which frequently involve routing stolen funds through specific cryptocurrency exchanges.
Final Takeaway
The $35 million and counting stolen from LastPass users who stored their seed phrases in the password manager serves as a harsh but necessary lesson for the entire cryptocurrency community. No cloud-connected service, regardless of its encryption standards or security reputation, should be considered safe for storing the keys to your digital wealth. The gap between a password breach and total cryptocurrency loss can be measured in hours, not days. If your seed phrase has ever existed in a digital format connected to the internet, consider your funds at risk and take immediate action to secure them with a fresh, purely offline wallet setup.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
krebs and taylor monahan both confirming 150+ victims and 35m stolen. when two independent researchers reach the same conclusion you know the real number is probably way higher
A 12 or 24 word seed phrase gives complete irreversible access. There is no customer support to call, no chargeback to file. Once someone has those words your funds are gone forever.
no chargeback to file is the part most newcomers dont grasp. you lose your keys the funds are gone forever. no help desk no ticket nothing
exactly this. 150+ victims and $35M gone because people trusted a password manager with their seed phrase. metal plates exist for a reason
metal plates are great until your house floods or catches fire. seed phrase storage needs a whole backup strategy not just one method
lastpass told 25 million users their data was encrypted and safe. months later people are still losing everything. class action when
class action wont recover stolen BTC. the damage is permanent and irreversible. this is why seed phrases should never touch cloud storage