The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs.
The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October.
This assessment is “based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps,” it added.
LastPass suffered a major hack in 2022 that enabled attackers to access personal information belonging to its customers, including their encrypted password vaults containing credentials, such as cryptocurrency private keys and seed phrases.
Earlier this month, the password management service was fined $1.6 million by the U.K. Information Commissioner’s Office (ICO) for failing to implement sufficiently robust technical and security measures to prevent the incident.
The breach also prompted the company to issue a warning at the time, stating bad actors may use brute-force techniques to guess the master passwords and decrypt the stolen vault data. The latest findings from TRM Labs show that the cybercriminals have done just that.
“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the company said.
“As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.”
The Russian links to the stolen cryptocurrency from the 2022 LastPass breach stem from two primary factors: The use of exchanges commonly associated with the Russian cybercriminal ecosystem in the laundering pipeline and operational connections gleaned from wallets interacting with mixers both before and after the mixing and laundering process.
More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.
The stolen funds have been found to be routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity. It’s worth mentioning here that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware attacks.
TRM Labs said it was able to demix the activity despite the use of CoinJoin techniques to make it harder to trace the flow of funds to external observers, uncovering clustered withdrawals and peeling chains that funneled mixed Bitcoin into the two exchanges.
“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, global head of policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.”
“Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”
