Blockchain intelligence agency TRM Labs has traced over $35 million in stolen cryptocurrency to the 2022 LastPass breach, revealing a classy Russian cybercriminal laundering operation that continues to be lively into 2025.
In 2022, hackers breached LastPass and stole encrypted password vaults containing the credentials of roughly 30 million customers worldwide.
Though the vaults had been encrypted, attackers downloaded them in bulk and started cracking weak grasp passwords offline.
This allowed cybercriminals to entry non-public keys and seed phrases saved inside, resulting in steady pockets drains all through 2024 and 2025, greater than three years after the preliminary breach.
TRM Labs estimates that over $28 million was stolen, transformed to Bitcoin, and laundered via Wasabi Pockets, a privacy-focused mixing service.
The latest LastPass-linked transactions occurred as late as October 2025, with an extra $7 million traced in September.
Demixing Exposes Russian Infrastructure
Utilizing superior demixing methods, TRM analysts defeated the privateness protections of CoinJoin mixers like Wasabi Pockets by figuring out behavioral patterns and transaction fingerprints.
The evaluation revealed that stolen funds constantly flowed to the Russian exchanges Cryptex and Audi6, each of that are related to cybercriminal cash laundering.
Intelligence linked to wallets each earlier than and after mixing pointed to Russia-based operational management, indicating continuity throughout a number of laundering phases somewhat than remoted exercise.
Cryptex was sanctioned by OFAC in 2024 for facilitating ransomware funds. This case demonstrates that cryptocurrency mixers don’t eradicate attribution danger when risk actors depend on constant infrastructure.
TRM’s demixing methodology revealed clustered withdrawal patterns and peeling chains that funneled blended Bitcoin to recognized Russian exchanges, exhibiting the operational structure of the laundering pipeline.
For the 25 million affected LastPass customers who did not rotate passwords or safe their vaults, the risk stays lively, a stark reminder that credential breaches can create multi-year home windows of exploitation.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
