Encrypted vault backups stolen in the 2022 LastPass data breach allowed attackers to exploit weak master passwords to crack passwords and exfiltrate cryptocurrency assets, according to new research from TRM Labs.
The blockchain intelligence firm said there is evidence that Russian cybercriminals are involved in this activity, and that one of the Russian exchanges received LastPass-related funds as recently as October.
It added that the assessment was “based on the totality of on-chain evidence, including repeated interactions with Russia-related infrastructure, continuity of control across pre- and post-mixing activities, and consistent use of high-risk Russian exchanges as off-ramps.”
LastPass suffered a major hack in 2022, allowing attackers to access personal information belonging to customers, including encrypted password vaults containing credentials such as cryptocurrency private keys and seed phrases.
Earlier this month, the password management service was fined $1.6 million by the UK Information Commissioner’s Office (ICO) for not having sufficiently robust technical and security measures in place to prevent the incident.
Due to the breach, the company issued a warning at the time that a malicious party could use brute force techniques to guess the master password and decrypt stolen vault data. TRM Labs’ latest findings show that cybercriminals are doing just that.
“Vaults protected with weak master passwords can eventually be decrypted offline, resulting in a single breach in 2022 resulting in a multi-year window for attackers to covertly crack passwords and exfiltrate assets over time,” the company said.
“Because users were unable to rotate their passwords or improve the security of their vaults, attackers continued to crack weak master passwords years later, leading to wallet breaches in late 2025.”
Russia’s ties to the cryptocurrencies stolen in the 2022 LastPass breach stem from two main factors. One is the use of exchanges commonly associated with the Russian cybercrime ecosystem in the laundering pipeline, and the other is operational connections collected from wallets that interact with mixers before and after the mixing and laundering process.
An additional $35 million in siphoned digital assets were tracked, of which $28 million was converted into Bitcoin and laundered through Wasabi Wallet between late 2024 and early 2025. A further $7 million is said to be related to a subsequent wave detected in September 2025.
It turns out that the stolen funds were routed through Cryptomixer.io and then through Cryptex and Audia6, two Russian exchanges linked to illegal activities. It is worth mentioning here that Cryptex was sanctioned by the US Treasury in September 2024 for receiving over $51.2 million in illicit funds obtained from ransomware attacks.
TRM Institute said that despite using CoinJoin technology to make it difficult to trace the flow of funds to external observers, it was able to isolate the activity, revealing clustered withdrawals and de-chaining that funneled commingled Bitcoin to two exchanges.
“This is a clear example of how a single breach can escalate into a multi-year theft campaign,” said Ari Redboard, head of global policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can reveal who is truly behind the activity.”
“Russian high-risk exchanges continue to serve as an important hedge against global cybercrime. This case illustrates why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”
Source link
