The encrypted vault backups stolen from the 2022 LastPass knowledge breach have enabled unhealthy actors to benefit from weak grasp passwords to crack them open and drain cryptocurrency belongings as just lately as late 2025, in keeping with new findings from TRM Labs.
The blockchain intelligence agency stated proof factors to the involvement of Russian cybercriminal actors within the exercise, with one of many Russian exchanges receiving LastPass-linked funds as just lately as October.
This evaluation is “primarily based on the totality of on-chain proof – together with repeated interplay with Russia-associated infrastructure, continuity of management throughout pre-and post-mix exercise, and the constant use of high-risk Russian exchanges as off-ramps,” it added.
LastPass suffered a serious hack in 2022 that enabled attackers to entry private info belonging to its prospects, together with their encrypted password vaults containing credentials, similar to cryptocurrency non-public keys and seed phrases.
Earlier this month, the password administration service was fined $1.6 million by the U.Okay. Info Commissioner’s Workplace (ICO) for failing to implement sufficiently strong technical and safety measures to forestall the incident.
The breach additionally prompted the corporate to situation a warning on the time, stating unhealthy actors could use brute-force strategies to guess the grasp passwords and decrypt the stolen vault knowledge. The most recent findings from TRM Labs present that the cybercriminals have accomplished simply that.
“Any vault protected by a weak grasp password may finally be decrypted offline, turning a single 2022 intrusion right into a multi-year window for attackers to quietly crack passwords and drain belongings over time,” the corporate stated.
“As customers didn’t rotate passwords or enhance vault safety, attackers continued to crack weak grasp passwords years later – resulting in pockets drains as just lately as late 2025.”
The Russian hyperlinks to the stolen cryptocurrency from the 2022 LastPass breach stem from two main elements: The usage of exchanges generally related to the Russian cybercriminal ecosystem within the laundering pipeline and operational connections gleaned from wallets interacting with mixers each earlier than and after the blending and laundering course of.
Extra $35 million in siphoned digital belongings have been traced, out of which $28 million was transformed to Bitcoin and laundered through Wasabi Pockets between late 2024 and early 2025. One other $7 million has been linked to a subsequent wave detected in September 2025.
The stolen funds have been discovered to be routed by means of Cryptomixer.io and off-ramped through Cryptex and Audia6, two Russian exchanges related to illicit exercise. It is price mentioning right here that Cryptex was sanctioned by the U.S. Treasury Division in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware assaults.
TRM Labs stated it was in a position to demix the exercise regardless of the usage of CoinJoin strategies to make it tougher to hint the circulate of funds to exterior observers, uncovering clustered withdrawals and peeling chains that funneled combined Bitcoin into the 2 exchanges.
“It is a clear instance of how a single breach can evolve right into a multi-year theft marketing campaign,” stated Ari Redbord, international head of coverage at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp habits can nonetheless reveal who’s actually behind the exercise.”
“Russian high-risk exchanges proceed to function essential off-ramps for international cybercrime. This case reveals why demixing and ecosystem-level evaluation are actually important instruments for attribution and enforcement.”
