The encrypted vault backups stolen during the 2022 LastPass data breach continue to fuel cryptocurrency thefts, as attackers exploit weak master passwords to crack vaults and drain digital assets as recently as late 2025, according to new findings from TRM Labs.
The blockchain intelligence firm said the evidence points to Russian cybercriminal actors, noting that one Russia-based exchange received LastPass-linked funds as recently as October.
This assessment is “based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps,” the firm added.
Background: The 2022 LastPass Breach
LastPass suffered a major hack in 2022 that allowed attackers to access customers’ personal information, including encrypted password vaults containing sensitive credentials such as cryptocurrency private keys and seed phrases.
Earlier this month, the U.K. Information Commissioner’s Office (ICO) fined the password management service $1.6 million for failing to implement sufficiently robust technical and security measures to prevent the incident.
At the time of the breach, the company also warned that bad actors could use brute-force techniques to guess master passwords and decrypt the stolen vault data. The latest findings from TRM Labs show that cybercriminals followed through on that warning.
“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the company said.
“As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.”
How Attackers Laundered the Stolen Cryptocurrency
The Russian links to cryptocurrency stolen from the 2022 LastPass breach stem from two primary factors. First, attackers relied on exchanges commonly associated with the Russian cybercriminal ecosystem as part of the laundering pipeline. Second, investigators identified operational connections from wallets that interacted with mixers both before and after the mixing and laundering process.
Investigators have traced more than $35 million in siphoned digital assets so far. Of that total, attackers converted approximately $28 million into Bitcoin and laundered it through Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.
Attackers routed the stolen funds through Cryptomixer.io and off-ramped them via Cryptex and Audia6, two Russian exchanges tied to illicit activity. Notably, the U.S. Treasury Department sanctioned Cryptex in September 2024 for receiving more than $51.2 million in illicit funds derived from ransomware attacks.
Demixing Reveals the Actors Behind the Activity
TRM Labs said it successfully demixed the activity despite the attackers’ use of CoinJoin techniques designed to obscure fund flows. Through this analysis, the firm identified clustered withdrawals and peeling chains that funneled mixed Bitcoin into the two exchanges.
“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, global head of policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.”
“Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”
Source: TheHackerNews
Read more at Impreza News
