How I had 15k of Crypto Stolen due to the LastPass Data Breach

In 2021 I decided to leave my current job and started looking for something new to work on. The web3 hype train was in full effect and with my new free time I jumped aboard. I submersed myself to try and learn as much as I could about many of the technologies. I learned about the Ethereum Name Service (ENS) a domain name service built on the blockchain. I also was intrigued by the Interplanetary File System (IPFS) and decided to dive deeper and learn how to create a web3 website. After much time learning about these technologies and completing my project, I wrote an article on how I did it. I continued to devote quite a bit of time in the ENS community and learning about all the potential ways it could play a role in web3. ENS formalized the organization and hired several people. Shortly after they launched their own ENS coin. They rewarded many early supporters by gifting them coins. I was one of those people and received 614 ENS coins upon their launch.
One of the investments I made while researching web3 and crypto was in a company called BlockFi. They were offering a 9% interest rate on several crypto coins that included GUSD and USDC that were pegged to the dollar if you staked the coins with them. This meant that I would transfer the coins for them to hold much like a bank. This seemed like a good way to earn money in a less risky way than other crypto investments but you already know where this is heading. Then one day in November 2022 I saw a message on Twitter stating that BlockFi was freezing their customers funds. I panicked and tried to pull my funds out but it was too late. They would declare bankruptcy shortly after that.
Shortly after I became disillusioned with crypto and in turn web3 and planned to liquidate all assets and stop any involvement in the space. Around this same time I learned about a data breach with LastPass which was the service I used for managing my passwords. This was very concerning and I immediately changed all my critical account passwords. This included my Coinbase account for crypto but I didn’t make any changes to secure my Metamask crypto wallet which was here I was storing my ENS coins.
I had been monitoring the ENS coins value still sitting in my Metamask wallet. The coins had recently increased in value worth about $14k and I was considering selling them. I’ve been following the BlockFi bankruptcy proceedings through the former investors through a Reddit group. We learned that BlockFi was finally planning an initial disbursement of funds to bankruptcy creditors this year. It was nice to learn that we would be receiving some of our funds back. In March of 2024 (2 years since the bankruptcy) I received a little under 30% of the original coins I had given them. This included GUSD, Bitcoin and Ethereum. I transferred the GUSD and Bitcoin to my Coinbase account but sent ~$1k worth of Ethereum to my Metamask wallet which also contained my ENS coins. That evening I verified that the Ethereum was received in the wallet and went to sleep.
The next morning I went to check my Coinbase account to verify the funds transferred there. I then pulled up my Metamask wallet to check it again. When viewing the wallet I always saw the value based on the current prices of the coins it contained with the value displayed as $9.74. I checked again and my heart sunk. I thought there was a mistake. I checked again. It seemed to be correct. I started to panic. I went to check for transaction activity on the blockchain from my wallet which crypto makes publicly viewable and saw that there was strange activity. My ENS coins had been converted to Ethereum and then all of the Ethereum was transferred from my wallet to another one. I felt my heart starting to race, more panic set in, then shock set in. I knew my wallet had been compromised and all my funds were stolen and most likely were gone forever.
I reached out to Metamask support through chat and my issue was escalated to a support ticket. They reached out the next day and asked me to provide them with a log file which I generated from the wallet on my computer. I continued to feel numb about what happened to me but punched through the anguish by trying to understand what happened. How did my wallet get compromised? Why hadn’t the thieves stolen the valuable funds that were sitting there for over 2 years before the smaller Ethereum funds I transferred the night before. The likely answer to that question came from a friend who I reached out to. He told me that it’s common for compromised wallets to be monitored for activity of incoming funds before the thieves decide to drain them. I thought this might be the case but again the ENS coins were ~15x the value of the funds I added the night before. He said they often ignore less popular coins when they monitor wallets. Another thing he said is which was also confirmed by Metamask support is that by having the ability to swap my ENS coins from within my wallet to Ethereum meant that they had direct access. Again my mind began to try and think about how my wallet was compromised.
Not long after I learned about LastPass being compromised I made the decision to switch to another password manager. I tested out Bitwarden for a while which is free and open source and while it worked well I decided to switch to 1Password which offered more functionality that I wanted. After the theft I went into 1Password to check what data I had stored for MetaMask. When viewing the record I saw the familiar dialog that had been added to all records imported from LastPass with a warning stating the LastPass breach and the need to change the password to keep the data safe. I also realized I had stored my seed phrase for the MetaMask wallet in the notes section. It was at this point I realized that after learning about the breach and changing the passwords to all my critical accounts I neglected to make any changes to my MetaMask wallet. My heart sunk again. I know that storing my seed phrase as a note wasn’t the smartest thing to do, but this was in my password manager which I had a reasonable expectation of being pretty secure. I immediately knew this was how my wallet was compromised. I thought of another scenario explained to me about how I may have connected my wallet to a bad web3 app but in those cases they wouldn’t have had the ability to swap the ENS coins from within my wallet so having the seed phrase to my wallet is the only way this could have happened.

I began to dig deeper into the LastPass data breach to see if I could find any information related to Crypto. I quickly landed on this article that linked the LastPass security breach to a string of crypto heists. It was at this point I realized I had most likely just become another victim of the LastPass data breach. I continued to do more research and found several threads on Reddit about the theft from other victims. I came across this post which linked to an article with a detailed analysis of more than 150 victims. One commenter from the Reddit post summarized the analysis this way:
Wow. That’s a fucking smoking gun: 150 victims, well secured online profiles, and the only connection was everyone had once kept their seed phrase in LastPass + the thief sent all the crypto to the same account # (linking all victims together, each new found victim also used LastPass).
The article mentioned Taylor Monahan from Metamask who had been documenting the story as it continued to unfold and trying to heed warnings to others. I reached out to Taylor to see if I could get more information regarding the theft and anything else I should do. She provided additional tracing to identify where the funds were transferred and withdrawn from. She also shared a document created for LastPass users that became victims of crypto theft. The document also led me to report the theft by filing an IC3 (Internet Crime) report and also reported it to Chain Abuse.
As I come to terms with the theft, I find comfort in knowing that most of the stolen funds were a gift, which eases the pain somewhat. One silver lining on the BlockFi front is that they won a judgement against FTX and they have since re-imbursed me for the full amount of my claim at the time of bankruptcy. While a small amount of the crypto amount returned was based on it’s low value at the time of the bankruptcy, at least I’ve been made whole from that investment.
I read many posts from folks shaming victims like myself for being stupid for storing their seed phrases in LastPass. Hopefully folks are getting more diligent about understanding the security risks involved and learing how to secure assets better. I’m not sure how much this has improved since my involvement, but hopefully its gotten easier and more consumer friendly as the crypto world has been on a tear as of late and surely gaining another surge of potential victims.