LastPass 2022 Breach Continues to Fuel Cryptocurrency Thefts
This summary covers a report from January 2, 2026, detailing how the 2022 LastPass data breach is still enabling high-value cryptocurrency thefts through cracked encrypted vault backups, with stolen funds laundered via Russian exchanges.
Technical Details of the Ongoing Exploitation
Threat actors have persisted in cracking encrypted vault backups stolen during the 2022 LastPass incident. These backups contain users’ private keys and seed phrases stored in password managers. Using advanced offline password cracking techniques, such as GPU-accelerated dictionary attacks combined with known vault encryption weaknesses, attackers decrypt the data years after the initial theft. Once access is gained, they transfer cryptocurrency from victims’ wallets to attacker-controlled addresses.
Laundering and Evasion Tactics
Stolen funds are funneled through Russian-based exchanges that operate with lax anti-money laundering controls, allowing evasion of international sanctions. These exchanges facilitate rapid conversion to privacy-focused coins like Monero before further distribution. The long tail of this breach underscores that time-limited encryption without frequent rotation remains vulnerable to persistent adversaries with computational resources.
Recommendations for Mitigation
Organizations must mandate rotation of all credentials in pre-2022 LastPass vaults. Implement hardware security modules for key storage and enforce multi-party computation schemes for wallet approvals to prevent single-point compromises.
Unleash Protocol Suffers $3.9 Million Multisig Hijack
On December 31, 2025, the decentralized intellectual property platform Unleash Protocol lost $3.9 million due to an unauthorized contract upgrade exploiting compromised private keys in its multi-signature wallet, bypassing governance controls.
Attack Vector and Execution
Attackers compromised private keys linked to the platform’s multisig wallet, likely via phishing or supply chain compromise targeting key holders. With control over the threshold signatures, they proposed and executed a malicious smart contract upgrade on the Ethereum blockchain. This upgrade included a hidden drain function that transferred assets to attacker addresses without triggering governance alerts.
DeFi Governance Vulnerabilities Exposed
The incident reveals risks in multisig setups reliant on centralized key management. Admin keys, even distributed, create single points of failure if not secured with hardware wallets or threshold signature schemes like TSS. Governance delays allowed the upgrade to finalize before community detection.
Defensive Strategies for DeFi Protocols
Adopt decentralized key generation and hardware security modules for multisig. Implement time-locks on upgrades and multi-stage voting with pause functions. Continuous monitoring of on-chain anomalies using tools like blockchain explorers with anomaly detection can provide early warnings.
GlassWorm Malware Targets macOS Developers
Detected on January 1, 2026, the GlassWorm campaign delivers trojanized VSCode and OpenVSX extensions to macOS developers, exfiltrating cryptocurrency wallet seed phrases and session tokens via supply chain compromise.
Malware Delivery Mechanism
Malicious extensions masquerade as legitimate VSCode plugins on OpenVSX, targeting developers working with crypto libraries. Upon installation, they inject code into the IDE’s extension host process, monitoring for wallet extensions like MetaMask or Phantom. Seed phrases are captured during clipboard operations or memory scraping.
Exfiltration and Persistence
Stolen data is exfiltrated over DNS tunneling to evade macOS Gatekeeper and XProtect. Persistence is achieved by respawning as a LaunchAgent in ~/Library/LaunchAgents, blending with legitimate developer workflows. Child processes from IDEs are monitored for suspicious network activity.
Protection Measures
Enforce extension whitelisting in VSCode and deploy EDR solutions monitoring IDE-spawned processes. Use sandboxed development environments and verify extension signatures against trusted repositories.
Inotiv Pharma Ransomware Breach Exposes 10,000 Records
In late December 2025, pharmaceutical firm Inotiv suffered a ransomware attack stealing data on nearly 10,000 individuals, exploiting a Baidu Antivirus driver vulnerability for kernel access and EDR evasion.
Initial Access and Privilege Escalation
Attackers exploited a signed Baidu Antivirus driver vulnerability, loading it to achieve kernel-level privileges. This disabled endpoint detection tools by hooking system calls and terminating security processes. With EDR blinded, ransomware was deployed across internal systems.
Data Exfiltration and Impact
Exfiltrated data included names, addresses, and Social Security numbers from R&D databases. The pharmaceutical sector’s sensitive IP amplifies extortion risks, potentially leading to long-term leaks.
Hardening Endpoint Security
Block vulnerable drivers via allowlisting, regardless of signatures. Monitor for unauthorized kernel modules using integrity checks and deploy tamper-resistant EDR with kernel callback monitoring.
Petco Data Exposure from Misconfiguration
Petco reported a misconfiguration in a software application exposing customer PII including Social Security and financial data across multiple states.
Misconfiguration Details
An internet-facing application lacked proper access controls, allowing unrestricted queries to backend databases. Exposed fields included full names, SSNs, driver’s licenses, and account numbers for California and Massachusetts customers.
Risks of Shadow Deployments
Improperly tested deployments created “shadow IT” exposures. Lack of data classification left PII unprotected in production environments.
Preventive Controls
Deploy automated configuration scanners and data discovery tools. Enforce least-privilege access with zero-trust network policies for all cloud resources.
Fortinet Firewalls Vulnerable to Legacy 2FA Bypass
A January 2, 2026 report indicates over 10,000 exposed Fortinet firewalls remain unpatched against a five-year-old 2FA bypass, enabling network access.
Vulnerability Mechanics
The flaw allows bypassing 2FA via crafted authentication requests exploiting session handling in FortiGate firmware. Attackers scan Shodan for exposed devices and chain with RCE for pivoting.
Patching and Exposure
Patches available since 2021, yet misconfigurations persist. Internet scanners confirm widespread vulnerability.
Remediation Steps
Apply firmware updates immediately. Restrict management interfaces to VPN-only and monitor for exploit attempts via logs.
Silk Typhoon Targets U.S. Congressional Budget Office
Late December 2025 intelligence reports detail Chinese APT Silk Typhoon’s campaign against the U.S. Congressional Budget Office, exfiltrating emails and policy data.
Attack Techniques
Sophisticated phishing delivered credential stealers, followed by lateral movement. Exfiltrated internal emails, policy analyses, and economic forecasts.
Nation-State Motivations
Focus on IP and policy data for strategic advantage. APTs employ custom malware evading AV.
Defense Posture
Implement phishing-resistant MFA and email DLP. Segment networks and hunt for APT indicators like anomalous exfiltration.
ALPHV/BlackCat Ransomware Operators Admit Involvement
Two cybersecurity professionals confessed to participation in the ALPHV/BlackCat ransomware operation, a key law enforcement win reported around January 2, 2026.
Operation Overview
Insiders facilitated initial access and decryption tools. Confessions detail RaaS model profit sharing.
Implications for Ransomware Ecosystem
Undermines affiliate trust, potentially fragmenting groups.
Lessons for Defenders
Vet insider threats and monitor for anomalous admin activity.