Krypto-Diebstahl-Angriffe mit LastPass-Datenleck von 2022 verknüpft – Die versteckten Kosten eines Passwort-Managers

Die Rechnung für ein altes Datenleck ist fällig – und Krypto-Besitzer zahlen sie.

Ein Jahrzehnt der digitalen Verwahrlosung

Die 2022 gehackten LastPass-Vaults verwandelten sich in eine Langzeit-Waffe. Angreifer nutzten die gestohlenen Passwörter und Seed-Phrasen nicht sofort. Sie warteten. Sie beobachteten. Dann schlugen sie zu – ein Master-Passwort öffnete nicht nur einen Tresor, sondern Dutzende von Krypto-Wallets.

Die Anatomie eines verzögerten Angriffs

Traditionelle Finanzdaten verlieren mit der Zeit an Wert. Krypto-Keys nicht. Die Diebe verstanden das fundamentale Prinzip der digitalen Vermögenswerte: Ein einmal kompromittierter Private Key bleibt für immer kompromittiert. Sie durchsuchten die geleakten Daten systematisch nach Wallet-Backups, verschlüsselten Notizen und Screenshots – die Art von nachlässiger Sicherheit, für die traditionelle Banken Compliance-Abteilungen unterhalten, die Krypto-Pioniere aber gerne umgehen.

Die Illusion der Sicherheit

LastPass verkaufte Verschlüsselung. Die Nutzer kauften Bequemlichkeit. Das Ergebnis? Ein Single Point of Failure, der sich über Jahre erstreckte. Während die FSA bei traditionellen Finanzinstituten Penetrationstests vorschreibt, vertrauten Krypto-Besitzer auf eine einzige Master-Passphrase – die digitale Entsprechung, alle Schlüssel an einem rostigen Haken aufzubewahren.

Ein Lehrstück in kryptografischer Hybris

Die Branche feiert Dezentralisierung, verlagert aber die gesamte Sicherheitslast auf den Endnutzer. Hardware-Wallets bleiben ungenutzt. Multi-Sig ist ‚zu kompliziert‘. Und so wird der nächste ATH nicht nur von Marktzyklen, sondern auch von den Nachwirkungen vergangener Leaks angetrieben – eine stille Steuer auf Nachlässigkeit, die direkt von den Wallet-Salden abgebucht wird. Die Ironie? Die gleichen Leute, die Zentralbanken misstrauen, vertrauten blind einem zentralisierten Passwort-Dienst. Das nennt man wohl selektive Dezentralisierung.

Cryptocurrency theft attacks linked to LastPass breach

During the breach, LastPass claimed that its vaults were encrypted. However, users with weak or reused master passwords were vulnerable to offline cracking, which TRM Labs believes has been ongoing since the breach occurred. “Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password,” warned LastPass when they disclosed the breach.

The LINK between the LastPass breaches and the cryptocurrency thefts was also confirmed by the United States Secret Service last year after the agency seized more than $23 million in crypto and said the attackers had obtained the private keys of their victims by decrypting vault data stolen in a password manager breach. Court filings also mentioned that there was no evidence that the victims’ devices had been compromised through malware or phishing.

In its report, TRM Labs connected the ongoing crypto theft to the abuse of the encrypted LastPass vaults stolen in 2022. Rather than the hackers moving swiftly to drain the entire wallets after the breach, the thefts have been carried out in waves, months or years after the incident occurred. It also shows that attackers have been gradually decrypting vaults and extracting stored credentials. In addition, the wallets were drained using similar transaction methods.

TRM Labs also mentioned that the method used during the breach showed that the hackers possessed the private keys before the thefts. “The linkage in the report is not based on direct attribution to individual LastPass accounts, but on correlating downstream on-chain activity with the known impact pattern of the 2022 breach,” TRM said. The platform noted that it created a scenario in which the wallet occurs in the future, rather than immediately after the breach happened.

TRM Labs highlights the use of Wasabi’s CoinJoin feature

The platform also mentioned that its research was initially based on a small number of reports, including several submissions made to Chainabuse, where users identified the LastPass breach as the method the hackers used to steal their wallets. The researchers increased their investigation, identifying cryptocurrency transaction behavior across other cases, eventually linking it to the data theft campaign.

TRM also added that it was able to trace funds even after the attackers mixed them using Wasabi wallet’s CoinJoin feature. CoinJoin is a Bitcoin privacy technique that includes all transactions from multiple users into a single transaction, making it harder to determine which input corresponds to which output. The feature obfuscates transactions without using a traditional mixing service.

After draining wallets, the hackers usually convert stolen assets to Bitcoin, route them through Wasabi Wallet, and attempt to hide their tracks using the feature. However, TRM mentioned that it was able to demix the Bitcoin sent using the CoinJoin feature by analyzing behavioral characteristics, such as transaction structure, timing, and wallet configuration choices. It was also able to match deposits with withdrawal patterns that matched the crypto theft.

Join a premium crypto trading community free for 30 days - normally $100/mo.