On-chain researcher ZachXBT has noticed another wallet-draining attack, spanning dozens of addresses. The seemingly random hauls have all been connected to the Last Pass data breach, potentially exposing multiple wallets.
ZachXBT reported a total of $5.36M taken from personal wallets containing Bitcoin and assets from the Ethereum ecosystem. All the seemingly random addresses had one thing in common – using Last Pass as their password storage and protection. After a data leak in 2022, the list of wallets turned out to be compromised.
ZachXBT also identified the attackers as a cohesive entity, the ‘Last Pass threat actor’. The attackers had a similar approach of draining the wallets, then immediately swapped through instant exchanges for Ethereum and Bitcoin. The attack affected multiple tokens, but the hackers were trying to simplify their holdings.
Apparently, some of the wallet owners also stored private keys on the service, leaking direct access to the wallets. The actual attack happened long after the data leak, and there may be more wallets that are potentially exposed, but not drained yet.
The recent batch of drained wallets includes crypto influencers with ENS names, as well as active DEX and DeFi users. Despite being experienced, the exposed addresses led to total losses. Wallets automated to receive funds or rewards from smart contracts may be especially at risk.
In one of the cases, the funds received came from an OpenSea user, potentially from the sale of an NFT. In this case, the receiving wallet may be automated and already linked to the NFT marketplace. The wallet was drained soon after that, with the funds sent directly for an anonymous swap.
More than 40 addresses in total were drained to date. In some cases, the addresses show evidence of being watched, as the draining happened right after a recent deposit of funds. Some of the wallets received funds from exchanges for storage or as intermediate holding, and were drained within a short time after the incoming transaction.
ZachXBT had already tracked an earlier batch of 22 addresses, with losses exceeding $6.2M even at the earlier stage of the bull market. Other on-chain researchers have also sounded the alarm on potentially exposed wallets.
It’s been 2 years since Path sounded the alarm.
Since then we’ve investigated thousands of these thefts.
Including 2 more in the last few hours.
Please migrate your funds to fresh wallets if you’ve used LastPass.
Please tell your friends.
Please. Begging you. 🙏 https://t.co/5xd5oYxbwb
— Tay 💖 (@tayvano_) December 16, 2024
The only solution for users is to abandon all potentially exposed wallets. The risk remains for anyone using Last Pass before the exploit in 2022. All funds must be moved to new addresses, as the old ones are already monitored for incoming transactions.
The latest wallet attack follows a previous batch of wallets linked to Last Pass data. In October 2023, a total of 25 wallets were drained of $4.4M worth of digital coins and tokens. As previously reported, some of the wallets had substantial funds and belonged to crypto insiders, even VCs and DeFi developers.
The previous hack did not alert all wallet owners exposed to Last Pass. ZachXBT has previously warned about potentially exposed wallets, though the hackers still managed to attack more accounts.
Unlike other hacking attempts, the wallets were drained directly onto exchange accounts. This suggests the hacker had full control and decided to trade the funds as a way of concealing them. In one case, a wallet was drained of 15 ETH, which were sent directly to a swapping address.
Another wallet lost 32 ETH, which was sent to the FixedFloat hot wallet. The exchange was used for other wallets as well. The exchange itself is not affected and is completely neutral to the hack. However, the DEX is a regular target for hackers, used to transform funds and cover their tracks. Previously, analysts have tracked funds from an attack against Rocket Pool to the same DEX.
FixedFloat offers a simplified swap service with relatively high fees, without requiring an account or KYC. The exchange itself has been a target of hackers, when it was exploited in March for $26M in ETH and BTC.
Land a High-Paying Web3 Job in 90 Days: The Ultimate Roadmap