Stolen vault backups from the 2022 LastPass breach are still being cracked, allowing attackers to steal crypto as late as 2025.
The blockchain intelligence firm TRM Labs warns that encrypted vault backups stolen in the 2022 LastPass breach are still being cracked using weak master passwords, enabling crypto theft as late as 2025.
In 2022, hackers breached LastPass, stealing encrypted backups of roughly 30 million vaults containing sensitive credentials, including crypto keys. TRM experts pointed out that attackers could decrypt vaults with weak master passwords, creating a multi-year risk. Wallet drains continued through 2024–2025, with stolen funds traced through mixers to high-risk Russian exchanges. TRM Labs found repeated use of Russian cybercrime infrastructure and continuity of wallet control, indicating likely Russian criminal involvement in monetizing the breach.
“While definitive attribution of the original intrusion cannot yet be confirmed, these signals, combined with TRM’s ability to demix activity at scale, highlight both the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the diminishing effectiveness of mixing as a reliable means of obfuscation.” reads the report published by TRM.
TRM Labs traced over $28 million in crypto stolen via the 2022 LastPass breach, converted to Bitcoin, and laundered through Wasabi Wallet in 2024–2025. Analysts identified consistent on-chain patterns, SegWit, Replace-by-Fee, single-use addresses, and coordinated deposit/withdrawal clusters, linking activity to Russia-based operators. Stolen funds were repeatedly off-ramped through Russian exchanges like Cryptex and Audi6.
The findings show diminishing effectiveness of mixing, persistent laundering infrastructure, and alignment with a Russian cybercriminal ecosystem across multiple phases.
“The significance of likely Russian involvement extends beyond this single case. Russian high-risk exchanges and laundering services have repeatedly served as critical off-ramps for globally dispersed ransomware groups, sanctions evaders, and other cybercriminal networks.” concludes the report. “Their role in the LastPass laundering pipeline underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressure increases elsewhere.”
Earlier this month, the U.K. ICO fined the password manager £1.2m ($1.6m ) for inadequate security measures that failed to prevent the breach.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, LastPass)
