Key Findings

• Encrypted vault backups stolen in the 2022 LastPass breach are still being cracked, enabling crypto theft as late as 2025.

• Attackers have drained over $28 million in crypto by exploiting weak master passwords to decrypt the stolen vaults.

• The funds were laundered through Russian cybercrime infrastructure, including mixers and high-risk exchanges.

• TRM Labs' analysis indicates likely Russian criminal involvement in monetizing the LastPass breach.

Background

In 2022, hackers breached LastPass, a popular password manager, and stole encrypted backups of roughly 30 million user vaults containing sensitive credentials, including cryptocurrency keys.

Continued Crypto Thefts

• TRM Labs, a blockchain intelligence firm, warned that the encrypted vault backups are still being cracked by attackers using weak master passwords.

• This has enabled continued cryptocurrency thefts, with wallet drains persisting through 2024 and 2025.

• Over $28 million in crypto has been stolen and laundered through mixers like Wasabi Wallet, and off-ramped through Russian exchanges like Cryptex and Audi6.

Laundering and Russian Involvement

• TRM Labs found repeated use of Russian cybercrime infrastructure and continuity of wallet control, indicating likely Russian criminal involvement in monetizing the breach.

• The analysts identified on-chain patterns, SegWit, Replace-by-Fee, single-use addresses, and coordinated deposit/withdrawal clusters, linking the activity to Russia-based operators.

• The findings highlight the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the diminishing effectiveness of mixing as a reliable means of obfuscation.

Regulatory Action and Implications

• Earlier this month, the U.K. ICO fined LastPass £1.2m ($1.6m) for inadequate security measures that failed to prevent the breach.

• The significance of likely Russian involvement extends beyond this single case, as Russian high-risk exchanges and laundering services have repeatedly served as critical off-ramps for globally dispersed cybercriminal networks.

• The LastPass case underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressure increases elsewhere.

Sources

• https://securityaffairs.com/186191/digital-id/stolen-lastpass-backups-enable-crypto-theft-through-2025.html

• https://www.instagram.com/p/DSr-gZID1eo/

• https://thehackernews.com/2025/12/lastpass-2022-breach-led-to-years-long.html

• https://www.facebook.com/thehackernews/posts/stolen-vault-backups-from-the-2022-lastpass-breach-are-still-paying-out35-millio/1253305743500673/