Over the last 10 months, more than 100 seemingly secure crypto wallets—many held by high profile, tech-savvy members of the crypto community—have been drained of tens of millions of dollars’ worth of cryptocurrency, without any clear indication how. Now, the answer is becoming clearer: The thefts appear to be due to a hack of LastPass, the password management company. For months, the seamless and consistently repeated attacks baffled security experts, who couldn’t figure out how to stop the theft. Victims did not appear to be falling for scams, or doing anything online for that matter, that risked exposing their private information. Besides, it turned out, prioritizing wallet security. On-chain researchers have since concluded—as the attacks continue to persist monthly—that the hacker in question is likely accessing victims’ funds by using wallet passwords and seed phrases exposed during a hack, last winter, into password manager LastPass. Since that hack, passwords obtained from the computer security service have reportedly led to the theft of at least $39 million worth of crypto, and counting. Just last week, the hacker made off with another $4.4 million in crypto, in what experts have identified as another attack that traces back to LastPass. Taylor Monahan, a lead product manager at MetaMask, first promulgated theories about the mystery hacks’ potential origins in April, back when the attacks had only netted about $10 million in stolen crypto. Since then, Monahan and other blockchain analysts have identified LastPass as the apparent common thread connecting victims of the hacks. In the interim, however, the hacker has continued to drain supposedly secure wallets of millions upon millions of dollars’ worth of crypto. Monahan, along with other on-chain sleuths like the pseudonymous blockchain analyst ZachXBT, have implored crypto users to immediately migrate their assets if they ever, even for a brief period, used LastPass to store their wallet seed phrases or keys. As the attacks continue with no end in sight, Monahan has publicly recounted the stories of numerous friends and associates who—upon news of the hacks—considered changing wallets but didn’t move fast enough, only to be targeted by the hacker themselves. Of particular note in the unfolding controversy are statements made by LastPass regarding the severity of the hack that infiltrated the company’s stores of private user data late last year. At first, LastPass insisted that the hack did not expose users’ stored passwords, but advised changing those passwords anyway out of an abundance of caution. The company eventually conceded that the hacker was able to access the LastPass corporate vault, which contains ample private user information—but maintained that these breaches still did not necessarily compromise users’ master passwords or other keys. Analysts who researched the spate of recent crypto heists reportedly tied to the LastPass hack have taken particular issue with the company’s handling of the situation, arguing that it has not been forthright with its users about the extent of damage incurred by the hack, and the degree to which LastPass users should have responded to it. “LastPass has still not shared some critical details about their security posture and the stuff that was compromised by the attackers,” Monahan wrote. “I want to emphasize strongly that LastPass can and should be doing more here.” “They are a disgusting failure of a company,” she added. Decrypt reached out to both LastPass and Monahan for this story, but did not immediately receive a response from either party. The mystery hacker’s persistent crypto heists, meanwhile, appear to have no end in sight. Edited by Andrew Hayward