LastPass Breach Since 2022 Leads to Multi-Year Crypto Theft Worth Over $35 Million by Russian Hackers

Russian Cybercriminals Likely Behind Years-Long LastPass Crypto Heist

More than $35 million in cryptocurrency stolen from LastPass users has been traced to Russian cybercriminals, according to blockchain intelligence firm TRM Labs.

The thefts, linked to the 2022 breach of the popular password manager, were carried out over several years, exploiting weak master passwords to access encrypted vaults containing private keys and seed phrases.

Despite the vaults being encrypted, TRM Labs found that attackers were able to systematically crack credentials and drain digital assets as recently as late 2025.

How Stolen Funds Travelled Through Russia-Based Infrastructure

TRM Labs’ analysis revealed a sophisticated laundering network centred on Russian exchanges and privacy tools.

Attackers converted non-Bitcoin assets into Bitcoin using instant swap services before routing them through mixers such as Wasabi Wallet and CoinJoin to obscure the transaction trail.

TRM Labs noted,

“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time.”

Despite these privacy tools, investigators were able to “de-mix” transactions by analysing behavioural patterns, wallet import methods, and on-chain activity.

This allowed TRM Labs to trace $28 million in Bitcoin through Wasabi Wallet between late 2024 and early 2025, and an additional $7 million in a September 2025 wave to Russian platforms such as Cryptex and Audia6.

Cryptex had been sanctioned by the U.S. Office of Foreign Assets Control after facilitating over $51.2 million in ransomware-related transfers.

Why Russian Platforms Are Central to Global Crypto Crime

The attackers displayed consistent operational ties to Russia both before and after using mixing services, suggesting they were not simply renting infrastructure but actively operating from the country.

TRM Labs observed that the continuity of wallet control and repeated use of sanctioned Russian exchanges indicated a single coordinated group.

Ari Redbord, TRM Labs’ global head of policy, commented:

“This is a clear example of how a single breach can evolve into a multi-year theft campaign. Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behaviour can still reveal who’s really behind the activity.”

The findings highlight how sanctioned Russian exchanges continue to provide liquidity and off-ramps for stolen assets, enabling cybercriminals to monetise breaches while evading international enforcement.

Mixing Services Are Losing Their Effectiveness

Cybercriminals have long relied on mixers to hide illicit funds, but TRM Labs’ demixing techniques show that these tools are increasingly vulnerable to analysis.

By tracking on-chain patterns, investigators were able to reconstruct the flow of funds through mixers, demonstrating that privacy protocols alone are insufficient to guarantee anonymity.

This development signals an urgent need for investors and institutions to adopt more advanced blockchain analytics capable of detecting and attributing illicit activity.

LastPass Breach Shows Weak Passwords Can Fuel Multi-Year Theft

The LastPass incident demonstrates that human factors remain the weakest link in crypto security.

Attackers exploited weak master passwords to gain access to encrypted vaults, enabling years of ongoing theft.

Even users who believed their vaults were safe were at risk if passwords were short, common, or easily guessable.

The UK Information Commissioner’s Office recently fined LastPass $1.6 million for inadequate security measures, highlighting a broader industry need for stronger protection in password managers.

Lessons for Crypto Users and Investors

The case illustrates the importance of proactive security measures.

Strong, unique master passwords, multi-factor authentication, hardware wallets, and regular rotation of credentials are critical.

Users should avoid sanctioned or high-risk exchanges, monitor on-chain activity, and consider password managers with zero-knowledge architecture paired with hardware security modules for high-value holdings.

TRM Labs’ investigation also emphasises the growing value of AI-driven blockchain forensics and compliance technologies.

As cybercriminals exploit long-tail vulnerabilities, tools capable of demixing transactions and mapping illicit activity across networks are becoming essential for law enforcement, investors, and institutions seeking to safeguard digital assets.

The LastPass breach and its ongoing exploitation provide a clear example of how initial hacks can evolve into years-long campaigns, with Russian-linked actors at the centre of laundering stolen funds through complex, yet ultimately traceable, infrastructure.