On-chain researcher ZachXBT observed another wallet draining attack, spanning dozens of addresses. All of the seemingly random transfers were linked to the Last Pass data breach, potentially exposing multiple wallets.
ZachXBT reported a total of $5.36 million taken from personal wallets containing Bitcoin and Ethereum assets. All the seemingly random addresses had one thing in common: they used Last Pass to store and protect passwords. After a data leak in 2022, the list of wallets was found to be vulnerable.
ZachXBT also denounced the attackers as a cohesive entity, a “Last Pass threat actor.” The attackers had a similar approach of draining wallets, then immediately swapping across Ethereum and Bitcoin spot exchanges. The attack affected multiple tokens, but the hackers were trying to streamline their holdings.
Last Pass Victims Face Another Round of Wallet Attacks
It is clear that some wallet owners also stored private keys on the service, which resulted in direct access to the wallets being leaked. The actual attack happened long after the data leak, and there may be more wallets that were potentially exposed, but not yet drained.
The latest batch of drained wallets includes crypto influencers with the names ENS, as well as DEX and DeFi. Despite their expertise, the exposed addresses have resulted in total losses. Automated wallets that receive funds or rewards from trac smart contracts are particularly at risk.
In one case, the funds received came from an OpenSea user, likely from an NFT sale. In this case, the recipient wallet may have been automated and already connected to an NFT marketplace. The wallet was drained shortly after, with the funds sent directly to an anonymous exchange.
Over 40 addresses have been drained in total so far. In some cases, the addresses show evidence of being monitored, as the drain occurred immediately after the recent deposit of funds. Some wallets received funds from exchanges for storage or as intermediate holdings, and were drained within a short period of time after the incoming transaction.
ZachXBT has already traced a previous batch of 22 addresses, with losses exceeding $6.2 million even in the early stages of the bull market. Other researchers on the chain have also sounded the alarm about potentially exposed wallets.
It's been two years since Bath sounded the alarm.
Since then we have investigated thousands of these thefts.
Including 2 more in the last few hours.
Please migrate your funds to new wallets if you are using LastPass.
Please tell your friends.
Please. I beg of you. 🙏 https://t.co/5xd5oYxbwb
- Tay 💖 (@tayvano_) December 16, 2024
The only solution for users is to abandon all potentially exposed wallets. The risks remain for anyone who used Last Pass before the 2022 vulnerability occurred. All funds must be moved to new addresses, as old addresses are already monitored for incoming transactions.
The latest wallet attack follows a previous batch of wallets linked to Last Pass data. In October 2023, a total of 25 wallets were drained of $4.4 million worth of cryptocurrency and tokens. As previously mentioned, some of the wallets held significant funds and were owned by cryptocurrency insiders, and even venture capital and DeFi developers.
The previous breach did not alert all wallet owners exposed to Last Pass. ZachXBT previously reported that wallets were potentially compromised, though hackers were still able to attack more accounts.
Unlike other hacking attempts, the wallets were drained directly into the exchange accounts. This suggests that the hacker had full control and decided to trade the funds as a way to hide them. In one case, the wallet was worth 15 ETH, which was sent directly to the exchange address.
Another wallet lost 32 ETH, which was sent to the FixedFloat hot wallet. The exchange was used for other wallets as well. The exchange itself is not affected and is completely neutral to the hack. However, the DEX is a regular target for hackers, as it is used to transfer funds and cover trac. Previously, analysts traced funds from the Rocket Pool attack to the same DEX.
FixedFloat offers a streamlined exchange service with relatively high fees, without the need for an account or KYC. The exchange itself was the target of hackers, when it was exploited in March for $26 million in ETH and BTC.