Blockchain intelligence firm TRM Labs has traced over $35 million in stolen cryptocurrency to the 2022 LastPass breach, revealing a sophisticated Russian cybercriminal laundering operation that remains active into 2025.
In 2022, hackers breached LastPass and stole encrypted password vaults containing the credentials of roughly 30 million users worldwide.
Although the vaults were encrypted, attackers downloaded them in bulk and began cracking weak master passwords offline.
This allowed cybercriminals to access private keys and seed phrases stored inside, leading to continuous wallet drains throughout 2024 and 2025, more than three years after the initial breach.
TRM Labs estimates that over $28 million was stolen, converted to Bitcoin, and laundered through Wasabi Wallet, a privacy-focused mixing service.
The most recent LastPass-linked transactions occurred as late as October 2025, with an additional $7 million traced in September.
Demixing Exposes Russian Infrastructure
Using advanced demixing techniques, TRM analysts defeated the privacy protections of CoinJoin mixers like Wasabi Wallet by identifying behavioral patterns and transaction fingerprints.
The analysis revealed that stolen funds consistently flowed to the Russian exchanges Cryptex and Audi6, both of which are associated with cybercriminal money laundering.
Intelligence linked to wallets both before and after mixing pointed to Russia-based operational control, indicating continuity across multiple laundering phases rather than isolated activity.
Cryptex was sanctioned by OFAC in 2024 for facilitating ransomware payments. This case demonstrates that cryptocurrency mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure.
TRM’s demixing methodology revealed clustered withdrawal patterns and peeling chains that funneled mixed Bitcoin to known Russian exchanges, showing the operational architecture of the laundering pipeline.
For the 25 million affected LastPass users who failed to rotate passwords or secure their vaults, the threat remains active, a stark reminder that credential breaches can create multi-year windows of exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
