Blockchain investigation agency TRM Labs says ongoing cryptocurrency thefts have been traced to the 2022 LastPass breach, with attackers draining wallets years after encrypted vaults have been stolen and laundering the crypto by means of Russian exchanges.
In 2022, LastPass disclosed that attackers breached its programs by compromising a developer surroundings, stealing parts of the corporate’s supply code and proprietary technical data.
In a later, however associated safety incident, the hackers breached the cloud storage agency GoTo utilizing beforehand stolen credentials and stole LastPass database backups saved on the platform. For some prospects, these encrypted password vaults not solely contained credentials, however additionally cryptocurrency pockets non-public keys and seed phrases.
Whereas the vaults have been encrypted, customers with weak or reused grasp passwords have been susceptible to offline cracking, which is believed to have been ongoing because the breach.
“Relying on the size and complexity of your grasp password and iteration rely setting, chances are you’ll need to reset your grasp password,” warned LastPass once they disclosed the breach.
The hyperlink between the LastPass breaches and crypto thefts was additional corroborated by the U.S. Secret Service, which in 2025 seized greater than $23 million in cryptocurrency and mentioned attackers had obtained victims’ non-public keys by decrypting vault knowledge stolen in a password supervisor breach.
In courtroom filings, brokers mentioned there was no proof the victims’ units had been compromised by means of phishing or malware, and that they believed the theft was linked to the stolen password vaults.
Crypto thefts linked to LastPass breach
In a report printed final week, TRM mentioned that ongoing cryptocurrency theft assaults have been traced to the abuse of the encrypted LastPass password vaults stolen in 2022.
Somewhat than the pockets being drained instantly after a breach, the thefts have been in waves months or years later, illustrating how the attackers step by step decrypting vaults and extracting saved credentials.
The affected wallets have been drained utilizing related transactions strategies, with no studies of a brand new assault, indicating the attacker possessed the non-public keys earlier than the thefts.
“The linkage within the report is just not primarily based on direct attribution to particular person LastPass accounts, however on correlating downstream on-chain exercise with the recognized affect sample of the 2022 breach,” TRM instructed BleepingComputer.
“That created a situation through which pockets drains would happen nicely after the unique breach, quite than instantly, and in distinct waves.”
TRM instructed BleepingComputer its investigation was initially primarily based on a small variety of studies, together with submissions to Chainabuse, through which customers recognized the LastPass breach as the tactic their wallets have been stolen.
Researchers expanded their investigation by figuring out cryptocurrency transaction habits throughout different instances, linking the thefts to the LastPass knowledge theft marketing campaign.
TRM instructed BleepingComputer that probably the most important a part of their analysis was the power to hint stolen funds even after they have been blended utilizing Wasabi Pockets’s CoinJoin characteristic.
CoinJoin is a Bitcoin privateness method that mixes transactions from a number of customers right into a single transaction, making it more difficult to find out which inputs correspond to which outputs.
Wasabi Pockets contains CoinJoin as a built-in characteristic, permitting customers to routinely combine their Bitcoin with others to obfuscate transactions with out counting on a mixing service.
After draining wallets, attackers transformed stolen crypto to Bitcoin, routed them by means of Wasabi Pockets, and tried to cover their tracks utilizing CoinJoin transactions.
Nevertheless, TRM says it was in a position to “demix” the cryptocurrency despatched through CoinJoin transactions by analyzing behavioral traits, reminiscent of transaction construction, timing, and pockets configuration selections.
“Somewhat than making an attempt to demix particular person thefts in isolation, TRM analysts analyzed the exercise as a coordinated marketing campaign, figuring out clusters of Wasabi deposits and withdrawals over time. Utilizing proprietary demixing strategies, analysts matched the hackers’ deposits to a particular withdrawal cluster whose combination worth and timing carefully aligned with the inflows, an alignment statistically unlikely to be coincidental.
Blockchain fingerprints noticed previous to mixing, mixed with intelligence related to wallets after the blending course of, constantly pointed to Russia-based operational management. The continuity throughout pre-mix and post-mix levels strengthens confidence that the laundering exercise was performed by actors working inside, or carefully tied to, the Russian cybercrime ecosystem.”
❖ TRM Labs
By treating the thefts as a coordinated marketing campaign quite than particular person compromises, TRM was in a position to match teams of Wasabi deposits with withdrawal patterns that matched the crypto theft assaults through the LastPass breach.
Early withdrawals after the pockets drains additional point out the identical risk actors who stole the funds have been behind the blending exercise.
Utilizing this method, TRM estimates that greater than $28 million in cryptocurrency was stolen and laundered by means of Wasabi Pockets in late 2024 and early 2025. A further $7 million was tied to a later wave of assaults in September 2025.
TRM says the funds have been repeatedly cashed out through the identical Russian-linked exchanges, together with Cryptex and Audi6, additional indicating that the identical risk actors have been behind these breaches.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising traits, and examine their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable affect.
