A multi-year cryptocurrency theft operation has been linked to Russian hackers who exploited vulnerabilities in LastPass. With access to stolen sensitive information, these cybercriminals managed to infiltrate around 30 million users’ secure vaults and pilfer over $35 million worth of crypto.
The scheme started in 2022 when the perpetrators breached LastPass, a platform widely used for storing passwords securely. Leveraging this data, they gained entry into the very cryptographic storage that LastPass is meant to safeguard. Even though these vaults were password-protected, reports indicate the criminals took systems offline to unlock them.
According to Blockmanity, many users depended on LastPass as their main security tool, resulting in some using weak master passwords like “password123.” The breach persisted through 2025, with periodic drainings of wallets suggesting the hackers successfully accessed numerous user accounts and stole thousands of dollars worth of cryptocurrency each time.
An Increasing Vulnerability
For a long time, password managers were effective in thwarting hacking attempts. However, recent crypto heists illustrate that users must protect themselves at every stage. Had stronger master passwords been used, the hackers would have faced more difficulty.
“Users access password manager vaults using basic usernames and passwords,” stated Tracy Goldberg, Director of Cybersecurity at Javelin Strategy & Research. “Any account secured by traditional methods like username and password is becoming increasingly vulnerable, particularly when such credentials are stored in browsers’ history and autofills.”
“Compromised credentials can grant hackers access to all saved credentials within the password manager vault,” Goldberg explained. “This includes bypassing encryption if the same credentials are used in browser history and autofill data, making these areas attractive targets for malware, especially those categorized as infostealers.”
Slow-Motion Hacking
The breaches also underscore the extended timeline of such incidents. LastPass only discovered parts of its source code and technical details had been stolen shortly after the 2022 breach. In response, they advised users to change their master passwords.
Despite these precautions, the thefts continued for three years. The stolen data provided the criminals with ample time to infiltrate crypto vaults.