LastPass Data Breach Led to $35 Cryptocurrency Theft

Over $35 million in cryptocurrency, stolen during the 2022 LastPass breach, has been traced by blockchain intelligence firm TRM Labs. The firm’s findings expose a sophisticated Russian cybercriminal laundering operation, active into 2025.

In 2022, hackers breached LastPass and stole encrypted password vaults containing the credentials of roughly 30 million users worldwide.

Although the vaults were encrypted, attackers downloaded them in bulk and began cracking weak master passwords offline.

This allowed cybercriminals to access private keys and seed phrases stored inside, leading to continuous wallet drains throughout 2024 and 2025, more than three years after the initial breach.

TRM Labs estimates that over $28 million was stolen, converted to Bitcoin, and laundered through Wasabi Wallet, a privacy-focused mixing service.

The most recent LastPass-linked transactions occurred as late as October 2025, with an additional $7 million traced in September.

Demixing Exposes Russian Infrastructure

Using advanced demixing techniques, TRM analysts defeated the privacy protections of CoinJoin mixers like Wasabi Wallet by identifying behavioral patterns and transaction fingerprints.

The analysis revealed that stolen funds consistently flowed to the Russian exchanges Cryptex and Audi6, both of which are associated with cybercriminal money laundering.

Intelligence linked to wallets both before and after mixing pointed to Russia-based operational control, indicating continuity across multiple laundering phases rather than isolated activity.

Cryptex was sanctioned by OFAC in 2024 for facilitating ransomware payments. This case demonstrates that cryptocurrency mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure.

TRM’s demixing methodology revealed clustered withdrawal patterns and peeling chains that funneled mixed Bitcoin to known Russian exchanges, showing the operational architecture of the laundering pipeline.

For the 25 million affected LastPass users who failed to rotate passwords or secure their vaults, the threat remains active, a stark reminder that credential breaches can create multi-year windows of exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.