Hack of LastPass in 2022 led to massive theft of XRP, now worth nearly $700 million

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

According to a forfeiture complaint filed by US law enforcement revealed by crypto investigator ZachXBT, the January 2024 theft of 283 million XRP, now worth $683 million, from Ripple co-founder Chris Larsen’s personal accounts has been linked to a 2022 hack of password manager LastPass.

The investigator shared a screenshot of the forfeiture complaint in his Telegram channel on March 7, claiming the theft “was the result of storing private keys in LastPass. Until now, Chris Larsen had not publicly disclosed the cause of the theft.”

According to the shared complaint, Larsen’s private keys were stored in the online password manager before being destroyed. Four devices were enabled with the password manager, which had a long, unique password.

LastPass suffered two significant breaches, one in August 2022 and the other in November 2022. The attackers stole encrypted passwords and online password management vault data. According to the US Federal Bureau of Investigation, which investigated the case, the compromised data was used to steal cryptocurrency, among other things.

Storing private keys or seed phrases online anywhere is considered a risky practice. Many recommend writing them down and storing them in a safe or offline digital storage like a USB. Users can also split their seed phrase into different parts and store them in multiple locations. (Christopher Tepedino / Cointelegraph)

Related: Krebs on Security. Forbes, CoinDesk, Crypto Briefing, CryptoSlate, Cryptopolitan, Protos, crypto.news, Hacker News (ycombinator)

According to a new whistleblower complaint from Sarah Wynn-Williams, a former global policy director at Meta, the company was willing to go to extreme lengths to censor content and shut down political dissent in a failed attempt to win the approval of the Chinese Communist Party and bring Facebook to millions of internet users in China.

Wynn-Williams, who worked on a team handling China policy, alleges that the social media giant so desperately wanted to enter the lucrative China market that it was willing to allow the ruling party to oversee all social media content appearing in the country and quash dissenting opinions.

Meta, then called Facebook, developed a censorship system for China in 2015 and planned to install a “chief editor” who would decide what content to remove and could shut down the entire site during times of “social unrest,” according to a copy of the 78-page complaint exclusively seen by The Washington Post.

Meta chief executive Mark Zuckerberg also agreed to crack down on the account of a high-profile Chinese dissident living in the United States following pressure from a high-ranking Chinese official the company hoped would help them enter China, according to the complaint, which was filed in April to the Securities and Exchange Commission.

According to the complaint, Meta executives repeatedly “stonewalled and provided nonresponsive or misleading information” to investors and American regulators when asked about its efforts to enter China.

Wynn-Williams bolstered her SEC complaint with internal Meta documents about the company’s plans. She was fired in 2017 and is scheduled to release a memoir this week documenting her time at the company, “Careless People: A Cautionary Tale of Power, Greed, and Lost Idealism.”

Meta refutes the whistleblower report. “This is all pushed by an employee terminated eight years ago for poor performance. We do not operate our services in China today. It is no secret we were once interested in doing so as part of Facebook’s effort to connect the world. This was widely reported beginning a decade ago. We ultimately opted not to go through with the ideas we’d explored, which Mark Zuckerberg announced in 2019,” a Meta spokesperson said. (Naomi Nix / The Washington Post and AJ Dellinger / Gizmodo)

Related: Slashdot, Times of India

Sources say the White House is considering measures to restrict Chinese artificial intelligence upstart DeepSeek, including banning its chatbot from government devices because of national security concerns.

They say US officials are worried about DeepSeek’s handling of user data, which the Chinese company says it stores in servers located in China

According to the sources, US officials are worried about DeepSeek’s handling of user data, which the Chinese company says it stores on Chinese servers. Officials also believe DeepSeek hasn’t sufficiently explained how it uses the data it collects and who has access to it.

The sources said the Trump administration is likely to adopt a rule barring people from downloading DeepSeek’s chatbot app onto US government devices.

People close to the matter said officials are also considering two other possible moves: banning the DeepSeek app from US app stores and limiting how US-based cloud service providers could offer DeepSeek’s AI models to their customers. They cautioned that discussions about these two moves were still at an early stage. (Liza Lin, Amrith Ramkumar, and Raffaele Huang / Wall Street Journal)

Related: Reuters, Techzine, Israel Hayom, Silicon Angle, Android Headlines

Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security discovered that the ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

Tarlogic said, "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls."

The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.

Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections.

This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.

In general, though, physical access to the device's USB or UART interface would be far riskier and a more realistic attack scenario.

The researchers presented their findings at RootedCON in Madrid. (Bill Toulas / Bleeping Computer)

Related: Tarlogic Security, CHERIoT Platform

A collaborative investigation from FRONTLINE and ProPublica reports that a group of Neo-Nazi influencers on the social media platform Telegram called Terrorgram created a network of chats and channels where they stoked racist, antisemitic, and homophobic hate.

The group targeted a teen in Slovakia, Juraj Krajčík, and groomed him for three years to kill before he killed two people at an LGBTQ+ bar.

The story of Krajčík’s march to violence shows the murderous reach of the online extremists, who operated outside the view of local law enforcement. To police at the time, the killings seemed like the act of a lone gunman rather than what they were: the culmination of a coordinated recruiting effort that spanned two continents. (A.C. Thompson, ProPublica and FRONTLINE, James Bandler, ProPublica, and Lukáš Diko, Investigative Center of Jan Kuciak / ProPublica)

Related: PBS

Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.

The data breach was discovered on February 5, 2025, but the exact date when the hackers gained initial access to NTT's systems has yet to be determined.

However, its investigation revealed on February 15 that the attackers had pivoted to another NTT network device. This device was promptly disconnected to prevent further lateral movement, and the firm is now confident that the threat has been fully contained.

NTT has made it clear that it will not send personalized notifications to impacted customers, so the public announcement on its website will remain the sole notice.

NTT says hackers breached its 'Order Information Distribution System,' which held details on 17,891 corporate customers (companies), but no data on personal customers (consumers). (Bill Toulas / Bleeping Computer)

Related: NTT, The420, TechCrunch, Security Affairs, Security Week, Teiss

Chicago Public Schools and law enforcement are investigating a data breach via Cleo, a file transfer software vendor used by the school district that exposed current and former students’ personal information.

CPS said the data breach affected roughly 700,000 students dating back to the 2017-18 school year. Students’ names, dates of birth, genders, and CPS student ID numbers were accessed. Students enrolled in Medicaid also had their Medicaid ID numbers and dates of eligibility exposed.

CPS said that social Security numbers and financial and health information were not exposed in the breach.

“At this time, there is no evidence to suggest that any student data has been misused. No staff information was involved in this incident,” CPS said. (Chicago Sun-Times Wire)

Related: ABC7 Chicago, Chicago Tribune, WGN, Chalkbeat, NBC5 Chicago, Teiss, Hoodline

Israeli newspaper Haaretz reported that the identities and addresses of thousands of Israeli gun owners have been leaked online following a hack carried out by Iranians in February.

The newspaper says the leak could threaten some 10,000 people who could be targeted by criminal elements seeking to obtain the weapons.

The report says over 100,000 files were stolen from various sources, including the police, the National Security Ministry, and private security firms. Police have said their systems were not breached, and Haaretz said it was unclear where the files were taken from. (Times of Israel)

Related: Haaretz, The Jewish Press, Sri Lanka Guardian, Quds News Network, Tasnim

The US Justice Department announced that software developer Davis Lu was found guilty of sabotaging his ex-employers' systems by running custom malware and installing a "kill switch" after the company demoted him.

Lu was a software developer for an Ohio company, reportedly Eaton Corp, from November 2007 to October 2019.

Eaton Corporation is a global power management company that provides electrical, hydraulic, and mechanical solutions for various industries.

Following a corporate restructuring in 2018, Lu lost his job responsibilities and was found guilty of sabotaging his employer's computer systems and network with custom malware and kill switches.

The malicious activities included code that ran in an "infinite loop," exhausting a production server's resources and eventually causing the system to crash and prevent user logins. These infinite loops were designed to exhaust Java threads by repeatedly generating new threads without proper termination.

According to Lu's indictment, Lu also deleted coworkers' user profiles and implemented a "kill switch" that would lock out all users if his account in the company's Windows Active Directory was disabled. The "kill switch" code, named "IsDLEnabledinAD," was an abbreviation of "Is Davis Lu enabled in Active Directory?"

This kill switch was automatically triggered when Lu was terminated on September 9, 2019, causing thousands of employees to lose access to systems.

A jury convicted Lu of causing intentional damage to protected computers, a charge that carries a maximum penalty of 10 years in prison. A sentencing date has not been set. (Lawrence Abrams / Bleeping Computer)

Related: Justice Department, The Register, Cleveland.com, GBHackers, Mahoning Matters, Gigazine, Tech Times

US cities are warning of an ongoing mobile phishing campaign pretending to be texts from the city's parking violation departments about unpaid parking invoices, that if unpaid, will incur an additional $35 fine per day.

While parking scams have existed for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, San Francisco, and many others.

The current wave of texts started last December and has continued since. The same phishing template is used in texts about unpaid parking invoices across the cities. (Lawrence Abrams / Bleeping Computer)

Related: amNew York, WMAR Baltimore, Eye on Annapolis, Greenwich Time, CBS8, Boston.com

Misinformation tracking firm NewsGuard reports that a Moscow-based propaganda network named “Pravda” has systematically infiltrated artificial intelligence (AI) systems worldwide, embedding Russian disinformation into leading generative AI tools.

An audit performed by NewsGuard found that AI chatbots repeated false claims from the pro-Kremlin Pravda network 33% of the time, demonstrating a significant vulnerability in AI models’ ability to filter out misleading content.

Unlike traditional disinformation campaigns that target human audiences, the Pravda network appears to be optimized to manipulate AI chatbots. By flooding search engines with fabricated narratives and false claims, the network ensures that AI models trained on publicly available data absorb and reproduce Kremlin-backed disinformation.

NewsGuard’s investigation examined ten leading AI chatbots, including OpenAI’s ChatGPT-4o, Google’s Gemini, Microsoft’s Copilot, Meta AI, and xAI’s Grok. When tested on 15 specific false narratives, these AI systems not only repeated the misinformation but, in some cases, directly cited Pravda network sources as legitimate news outlets.

The Pravda network produced 3.6 million articles in 2024 alone and operates across 150 domains in multiple languages, targeting 49 countries. While its websites receive minimal direct human traffic, its primary goal appears to be influencing AI models rather than building an organic readership. (Inna Chefranova / EU Today)

Related: NewsGuard, The New Voice of Ukraine

The NHS is looking into claims made by an IT whistleblower that a private healthcare provider's security failures left patient data vulnerable.

An application programming interface (API) security flaw exposed the personal details of NHS patients referred to virtual healthcare provider Medefer.

There is no evidence that data was compromised and the vulnerability has been fixed, but Medefer admitted the API security flaw left data vulnerable to a targeted attack.

Medefer offers patients online appointments through the NHS’s e-referral system (e-RS). When a patient is referred to Medefer, the firm receives patient data from e-RS or the NHS Spine to make it available to medics, who provide online consultations.

The healthcare provider said it had appointed an independent security firm to investigate the flaw and external counsel to advise on the situation, but it did not say when.

The security hole in the Medefer API, discovered in November 2024, meant that data on Medefer’s internal patient record system, which contains data from the NHS, could have been accessed without requiring authentication via the API.

Medefer CEO and NHS consultant doctor Bahman Nedjat-Shokouhi said the problem was fixed within 48 hours of being discovered, but he admitted to not knowing how long the vulnerability existed.

He said the exposed data was not full medical records but admitted it included names, addresses, NHS numbers, and some doctors' notes.

The whistleblower, a software testing contractor, reported the security hole in the private company’s systems to its management while working for the company. He said he believed the problem had existed for at least six years. (Karl Flinders / ComputerWeekly)

Related: BBC News, Teiss, SC Magazine UK

Decentralized exchange aggregator 1inch successfully recovered most of the $5 million stolen in a recent exploit after negotiating a bug bounty agreement with the attacker.

On March 5, 1inch identified a vulnerability affecting resolvers, independent entities that fill orders using the outdated Fusion v1 implementation. A day later, it made the vulnerability public.

On March 7, blockchain security firm SlowMist found, through an on-chain investigation, that the 1inch hacker stole 2.4 million USDC and 1,276 Wrapped Ether (WETH) tokens.

According to 1inch, the hack stole funds only from resolvers using Fusion v1 in their own contracts, and end-user funds were safe.

Following the exploit, 1inch and the affected resolver directly negotiated with the hacker to recover the stolen funds. Discussions centered on a bug bounty agreement, a practice where attackers return stolen assets in exchange for a portion of the funds as a reward for identifying vulnerabilities.

The attacker agreed to return the majority of the stolen funds, keeping only the agreed-upon bounty amount. (Arijit Sarkar / Cointelegraph)

Related: Bitcoinist, BeInCrypto, Tron Weekly, Coinpedia, FinanceFeeds

Enisa, the EU’s leading security agency, has warned that six critical infrastructure (CNI) sectors are struggling to comply with the NIS2 directive.

The directive was created in response to mounting threats to CNI across the region, mandating a strict new set of baseline cybersecurity requirements.

Enisa said IT service management, space, public administration, maritime, health and gas are all “within the NIS360 risk zone.”

Enisa also pointed out that the digital infrastructure sector, which includes critical services like internet exchanges, top-level domains, data centers, and cloud services, is “a step below in terms of maturity.” (Phil Muncaster / Infosecurity Magazine)

Related: Enisa, Industrial Cyber

Google said that in 2024, it had “awarded just shy of $12 million to over 600 researchers based in countries around the globe.” 

Regarding mobile security issues, Google now offers up to $300,000 for “critical vulnerabilities in top-tier apps.” At the same time, the Cloud program has a maximum payout of $151,515, and Chrome bounties peak at $250,000.

The Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program awarded hackers more than $3.3 million in bounties in 2024. The number of vulnerabilities found decreased by 8%, but those considered critical and high severity increased by 2%. (Davey Winder / Forbes)

Related: Google Security Blog

The US Justice Department announced that Steven Hale, a Tennessee man, was arrested on charges of stealing Blu-rays and DVDs from a manufacturing and distribution company used by major movie studios and sharing them online before the movies' scheduled release dates.

Hale worked at the DVD company and allegedly stole "numerous 'pre-release' DVDs and Blu-rays" between February 2021 and March 2022. He then allegedly "ripped" the movies, "bypassing encryption that prevents unauthorized copying," and shared copies widely online. The DOJ alleged that he also supposedly sold the stolen discs on e-commerce sites.

Hale has been charged with "two counts of criminal copyright infringement and one count of interstate transportation of stolen goods. " He faces a maximum sentence of five years for the former and 10 years for the latter.

Among blockbuster movies that Hale is accused of stealing are Dune, F9: The Fast Saga, Venom: Let There Be Carnage, Godzilla v. Kong, and, perhaps most notably, Spider-Man: No Way Home.

The DOJ claimed that "copies of Spider-Man: No Way Home were downloaded tens of millions of times, with an estimated loss to the copyright owner of tens of millions of dollars." (Ashley Belanger / Ars Technica)

Related: Justice Department, USA Today, WREG, Fortune

Donald Trump said that his administration was in touch with four different groups about the sale of the Chinese-owned social media platform TikTok and that all options were good.

TikTok's fate has been up in the air since a law requiring its owner, ByteDance, to either sell it on national security grounds or face a ban took effect on January 19. After taking office on January 20, Trump signed an executive order seeking to delay by 75 days the enforcement of the law. (Gram Slattery / Reuters)

Related: Reuters, Fortune, The Information, The Week, Tech in Asia, Bloomberg Law, The North West Star, WCPO 9 Cincinnati, KCRG-TV

Best Thing of the Day: Giving More Power to the ONCD

Experts say the Office of the National Cyber Director (ONCD) is poised to become a stronger force in the second Trump administration and will finally operate as the executive branch cybersecurity policy lead that Congress envisioned when establishing it in 2021.

Worst Thing of the Day: We Don't Need No Stinking Secure Elections Anyway

Not only has the Cybersecurity and Infrastructure Security Agency (CISA) kept hidden a comprehensive review of its election security mission, but also the nonprofit Center for Internet Security, which manages the federally funded Election Infrastructure Information Sharing and Analysis Center, said that “due to the termination of funding by the Department of Homeland Security, the Center for Internet Security no longer supports the EI [Elections Infrastructure]-ISAC.”

Closing Thought