The encrypted vault backups stolen from the 2022 LastPass data breach have been exploited by cybercriminals to drain cryptocurrency assets, with activity extending as recently as late 2025. New findings from TRM Labs indicate that bad actors have successfully cracked these vaults by targeting weak master passwords, leading to significant financial losses for users.
Blockchain intelligence firm TRM Labs has identified evidence pointing to the involvement of Russian cybercriminal actors in this sustained exploitation. Their analysis reveals that funds linked to the LastPass breach were processed through Russian cryptocurrency exchanges as late as October 2025. This assessment is based on significant on-chain evidence, including the consistent interaction with Russia-associated infrastructure, the continuity of control over funds both before and after mixing services, and the recurring use of high-risk Russian exchanges for cashing out stolen assets.
LastPass Breach Echoes in Late 2025 Cryptocurrency Thefts
The 2022 LastPass hack was a significant security incident that exposed personal information of its customers, crucially including their encrypted password vaults. These vaults contained sensitive credentials, such as private keys and seed phrases for cryptocurrency holdings, making them prime targets for malicious actors.
The ramifications of this breach continue to unfold, with recent regulatory action highlighting the severity of the incident. Earlier this month, the U.K.’s Information Commissioner’s Office (ICO) fined LastPass $1.6 million for failing to implement adequate technical and security measures to prevent the breach. This penalty underscores the ongoing concern surrounding the security lapses that facilitated the theft.
At the time of the breach, LastPass itself issued a warning that attackers might employ brute-force techniques to guess master passwords and decrypt the stolen vault data. The latest findings from TRM Labs confirm that these predictions have materialized, demonstrating the prolonged impact of the initial intrusion. Hackers have indeed been successful in cracking weak master passwords over an extended period, leading to ongoing cryptocurrency theft.
“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” TRM Labs stated in its report. The firm further noted that the continued success of these attacks is attributed to users failing to rotate passwords or enhance their vault security, allowing attackers to persist in cracking weak master passwords and consequently drain wallets years after the initial breach.
Tracing the Funds: Russian Nexus and Laundering Operations
The connection to Russia in these cryptocurrency thefts stems from two primary factors. Firstly, the investigation identified the use of cryptocurrency exchanges that are commonly associated with the Russian cybercriminal ecosystem for laundering pilfered digital assets. Secondly, operational links were discerned from wallets interacting with mixers, both before and after the mixing and laundering processes, revealing a pattern of activity.
TRM Labs has traced over $35 million in siphoned digital assets. A significant portion, approximately $28 million, was converted into Bitcoin and laundered through Wasabi Wallet between late 2024 and early 2025. An additional $7 million has been linked to a subsequent wave of activity detected in September 2025.
The stolen funds were reportedly routed through Cryptomixer.io and then off-ramped via Cryptex and Audia6. These two Russian exchanges have been previously associated with illicit financial activities. It is noteworthy that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 due to its involvement in receiving over $51.2 million in illicit funds, primarily derived from ransomware attacks.
TRM Labs utilized advanced analytics to demix the transaction activity, even in instances where CoinJoin techniques were employed to obscure the flow of funds. By uncovering clustered withdrawals and peeling chains, they were able to trace the mixed Bitcoin into these Russian exchanges. Ari Redbord, global head of policy at TRM Labs, commented on the findings, stating, “This is a clear example of how a single breach can evolve into a multi-year theft campaign. Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.”
Redbord further emphasized, “Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”
The ongoing exploitation of the LastPass breach highlights the persistent threat posed by sophisticated cybercriminal networks and the challenges in tracing and attributing illicit financial flows, especially when mixer services and complicit exchanges are involved. The continued monitoring of these high-risk exchanges and the application of advanced forensic techniques will be crucial for future investigations and enforcement actions against those perpetrating such crimes.