LastPass Hack: Flow of Funds Analysis

On October 25th, 2023, LastPass, a widely used password manager, fell victim to a security breach. The breach had significant ramifications, affecting approximately 25 users whose assets were distributed across 80 wallets. This breach resulted in a staggering loss of approximately $4.4 million in various cryptocurrencies. Among the affected blockchain networks were Bitcoin, Ethereum, Binance Smart Chain, Polygon, Solana, Cardano, Litecoin, Arbitrum, and Avalanche. 

The cyber attackers capitalized on vulnerabilities within the LastPass password management system, highlighting a distressing pattern of security breaches that have afflicted LastPass users since 2022. This latest incident adds to the tally of an estimated $35 million already stolen from users.

A Series of Targeted Attacks

The LastPass breach granted unauthorized access to user accounts, leading to substantial financial repercussions for individuals who entrusted wallet keys to the application. Notably, the attackers honed in on seed phrases and wallet keys. 

This saga began on August 8, 2022, when a hacker successfully infiltrated the corporate laptop of a LastPass software engineer. This breach provided the malicious actor with an entry point into the company's system, allowing them to exfiltrate portions of the source code, confidential technical documentation, and internal system secrets. 

Stolen Source Code and Customer Data

With this stolen information, the hacker managed to abscond with 14 of LastPass's 200 source code repositories. In the days that followed, the perpetrator escalated their activities, culminating in the pilfering of the entire LastPass customer database. This database contained sensitive data, including unencrypted account information, along with associated metadata and settings such as multi-factor authentication options.

At the time, LastPass reassured users that there was no evidence of the attackers gaining access to customer data or sensitive encrypted vaults. However, in December 2022, LastPass disclosed that the hackers had leveraged information from the initial breach in August to infiltrate their systems. This time, the attacker managed to make off with a copy of a partially encrypted customer vault data backup, which contained crucial information like website URLs, usernames, and passwords.

Merkle Science’s Flow of Funds Analysis

Merkle Science's Blockchain Forensics Tool "Tracker' depicts the flow of funds

• A total of ~$4.4 million in various cryptocurrencies, including ETH, BSC, MATIC, SOL, ADA, LTC, ARB, and AVAX, were stolen during the breach.
  
  
• The hacker swindled 1,926 ETH, 35,315 MATIC, and 262.69 BSC from multiple victim addresses, redirecting these assets to a series of addresses under their control.
  
  
• Furthermore, 552,627.36 POLY was exchanged for 334.8271 ETH via Uniswap, which was then deposited into the hacker's ETH addresses.
  
  
• 1.64 ETH found its way to a widely recognized cryptocurrency exchange, and approximately 11 BTC was funneled into BTC addresses managed by the hacker.
  
  
• Another significant transfer involved 386.18 ETH, 35,315 MATIC, and 262.69 BSC, which were initially moved to an exchange. Subsequently, these assets were swapped for 30.07 BTC and transferred to BTC addresses controlled by the hacker.
  
  
• Additionally, 816.5 ETH was sent to THORChain, where it was converted into 56.45 BTC and subsequently transferred to the same set of BTC addresses managed by the attacker.
  
  
• The hacker also stole 4.43 ETH from victim addresses on Arbitrum and rerouted it to an exchange
  
  

• Further losses included 804 AVAX and 337.9 LTC, which were pilfered from victims' addresses and subsequently transferred to an exchange.
  
  
• 3,118 SOL and 4010 ADA were also stolen, but the funds have not moved to identified destinations yet. 

Merkle Science has taken immediate action to ensure that wallets associated with the LastPass hack have been tagged across all our tools. This shows direct/indirect exposure to wallets involved in the theft.

Furthermore, our advanced blockchain forensics tool, 'Tracker,' is optimized to provide optimal capabilities for analyzing DeFi and smart contract transactions. It boasts a watchlist feature that promptly alerts users to any inbound or outbound fund transfers from the attacker's address. Additionally, our system encompasses over 22 distinct blockchains and additional L2 chains, facilitating comprehensive fund flow analysis for investigators.