A $150 million theft targeting Ripple co-founder Chris Larsen has been traced back to a security lapse involving the password manager LastPass, according to a forfeiture complaint filed by U.S. law enforcement on March 6, flagged by blockchain sleuth ZachXBT.
The complaint revealed that Larsen’s private keys—essentially the code necessary to access one’s cryptocurrency holdings—were stored in LastPass, a widely used password manager that experienced a significant breach in 2022.
In that incident, hackers compromised a developer’s account, allowing them to steal source code and technical data. By November 2022, they leveraged their access to infiltrate a cloud storage system, which resulted in the theft of encrypted customer password vaults and unencrypted metadata affecting an estimated 25 million users.
While the ‘vaults’ were encrypted, the presence of weak or reused master passwords presented an opportunity for attackers to brute-force their way in, eventually exposing sensitive stored data.
In exploiting this vulnerability, hackers managed to access Larsen’s keys and siphon off XRP, valued at $150 million at the time of the theft. As of recent market prices, that amount had surged to over $600 million.
“A forfeiture complaint filed yesterday by U.S. law enforcement revealed the cause for the ~$150M (283M XRP) hack of Ripple co-founder, Chris Larsen’s wallet in January 2024 was the result of storing private keys in LastPass (password manager which was hacked in 2022),” ZachXBT noted on his Telegram channel.
Until now, Chris Larsen had not publicly disclosed the particulars surrounding the theft. He confirmed the incident in January, clarifying that the hack was confined to his personal accounts and did not extend to Ripple’s corporate wallets. He has yet to publicly comment on the forfeiture notice.
The fallout from the 2022 LastPass breach continues to be felt throughout the crypto ecosystem. In December, The Security Alliance (SEAL), a consortium of cybersecurity experts focusing on the cryptocurrency market, estimated that losses linked to the breach had escalated to at least $250 million as of May 2024.
