A $150 million theft targeting Ripple co-founder Chris Larsen has been traced back to a security lapse involving the password manager LastPass, according to a forfeiture complaint filed by U.S. law enforcement on March 6 flagged by blockchain sleuth ZachXBT.
ZachXBT shared that the complaint detailed how Larsen’s private keys — or code to access one’s token holdings — were stored in LastPass, the widely used password manager that suffered a major breach in 2022.
At the time, hackers stole source code and technical data by compromising a developer’s account. By November of that year, they used this access to infiltrate a cloud storage system, stealing encrypted customer password vaults and unencrypted metadata for an estimated 25 million users.
Although ‘vaults’ were encrypted, weak or reused master passwords could be brute-forced, exposing stored data.
Hackers exploited this vulnerability, accessing Larsen’s keys and siphoning off the XRP, valued at $150 million at the time of the theft and over $600 million as of Saturday’s prices.
“A forfeiture complaint filed yesterday by US law enforcement revealed the cause for the ~$150M (283M XRP) hack of Ripple co-founder, Chris Larsen’s wallet in Jan 2024 was the result of storing private keys in LastPass (password manager which was hacked in 2022),” ZachXBT wrote on his Telegram channel.
“Up to this point Chris Larsen had not publicly disclosed the cause of the theft,” he added.
Larsen confirmed the incident in January, where he clarified the hack affected only his personal accounts, not Ripple’s corporate wallets. He is yet to publicly comment on the forfeiture notice.
The fallout from the 2022 LastPass hack has been extensive and remain ongoing. In December, The Security Alliance (SEAL), a team of cybersecurity experts focused on the crypto market, estimated that crypto losses connected to the breach had touched at least $250 million as of May 2024.