U.S. law enforcement authorities have seized over $23 million in cryptocurrency stolen during the January 2024 attack on a Ripple wallet. The investigation revealed that the perpetrators behind the breach were the same hackers responsible for the 2022 LastPass compromise, which granted them access to users’ encrypted data.
Despite the attackers’ attempts to obscure their tracks, federal agents successfully traced $23,604,815 of the stolen digital assets. The funds moved through various cryptocurrency exchanges—including OKX, Kraken, WhiteBIT, AscendEX, FixedFloat, SwapSpace, and CoinRabbit—between June 2024 and February 2025.
According to the forfeiture lawsuit filed by the U.S. Department of Justice, stolen data from the LastPass breach played a pivotal role in the crime. The hackers managed to decrypt credentials stored within the password manager, enabling them to access victims’ crypto wallets and other sensitive information. Investigators determined that the victims’ devices had not been directly compromised, reinforcing the theory that the breach stemmed from decrypted LastPass data.
The document further notes that the scale of the attack and the rapid movement of funds suggest the involvement of multiple perpetrators. The operation closely mirrors other cryptocurrency thefts executed through password manager breaches. Based on these findings, authorities concluded that the stolen funds are linked to the same group responsible for attacking LastPass and other crypto asset holders.
While the documents did not explicitly name the password manager in question, they referenced two major data leaks in 2022—dates that align with LastPass’s public disclosures of security incidents in August and November of that year. During those breaches, hackers obtained source code, technical information, and encrypted user vaults.
Following the leaks, cybersecurity experts repeatedly warned that the stolen encrypted data could eventually be decrypted by hackers, with compromised keys used to target cryptocurrency owners.
The details of the case closely align with the $150 million cryptocurrency heist from the wallet of Ripple co-founder Chris Larsen, which came to light on January 31, 2024. Crypto fraud investigator ZachXBT confirmed that the seized $23 million is linked to this incident, asserting that the theft was made possible by storing private keys in LastPass.
In response to the news, LastPass issued a statement emphasizing that it had cooperated with law enforcement since the breach was discovered in 2022. However, the company maintained that investigators lack definitive evidence directly linking the LastPass breach to the cryptocurrency thefts. LastPass assured that it continues to strengthen its security measures.
