LastPass Vault Crypto Drain

On December 22, 2022, password manager LastPass disclosed that attackers had downloaded encrypted backups of roughly 30 million customer vaults in a breach earlier that year. The disclosure didn't make headlines as a crypto incident — but in the months and years that followed, wallets whose seed phrases had been stored in LastPass began being drained, in a campaign that has grown to over $35 million in initial public estimates and over $438 million by TRM Labs' 2025 analysis.

What happened

LastPass's August 2022 corporate breach gave attackers access to source code and internal documentation. A second breach in late 2022 — using credentials and information from the first — let attackers download backups of customer vaults, including the encrypted blobs containing every user's saved passwords, notes, and any seed phrases or private keys they had stored.

The vaults were encrypted with the user's master password. The attackers proceeded to brute-force the master passwords offline — a tractable attack for users with weak or moderate-strength passwords, given the computational resources available to organised cybercriminal groups.

For users who had stored crypto seed phrases or private keys in LastPass and whose master password fell to brute-force, the result was total loss of every crypto asset secured by those seeds. Notable attributed incidents include:

• January 30, 2024: ~$150 million in XRP stolen from wallets whose seeds were stored in LastPass.
• Multiple individual attacks ranging from tens of thousands to multi-million-dollar drains, spread across 2023-2025.
• At least $4.4M drained by a single attacker tracked by Unchained.

TRM Labs' December 2025 analysis estimated cumulative crypto losses attributable to the LastPass breach at over $438 million, with on-chain indicators suggesting the operation was conducted by Russian-aligned cybercriminal groups rather than state actors.

Aftermath

• LastPass agreed to a class-action settlement of up to $24.45M, including an $8.2M cash fund for general losses and a separate $16.25M crypto-loss pool for users whose crypto was stolen via stored seeds.
• Many affected users — particularly those with larger losses — have pursued separate civil litigation against LastPass.
• The incident drove industry-wide warnings against storing seed phrases in cloud-synchronised password managers.

Why it matters

The LastPass episode is the canonical case for why "encrypted backup" is not equivalent to "safe". The encryption is only as strong as the user's master password. For any meaningful percentage of users, that password is brute-forceable — and once the encrypted blob has been exfiltrated, the attacker has unlimited time to crack it offline.

The structural lessons:

1. Seed phrases belong in a system that does not have a copy stored offsite, ever. Hardware wallets, paper backups in physical secure storage, dedicated cold-storage devices.
2. Cloud-synchronised password managers are convenient for passwords, not for seeds. The threat model of a stolen-encrypted-vault attack is different.
3. The damage from a security-vendor breach can take years to fully manifest. LastPass's August 2022 disclosure became a December 2022 disclosure, which became a March 2024 $150M XRP heist, which became a 2025 $438M cumulative attribution. The breach is still draining victims as of this writing.

The cost of underestimating these risks is, by now, well-quantified in the on-chain record.