- Encrypted vault backups taken in the 2022 breach of LastPass were cracked using weak master passwords, leading to wallet drains as recently as late 2025.
- TRM Labs traced more than $35 million in stolen assets, with about $28 million converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025 and another $7 million linked to activity in September 2025.
- Funds were routed through mixers and off‑ramped at high‑risk Russian exchanges, including Cryptex and Audia6, supporting an assessment of Russian cybercriminal involvement.
- Mixing techniques such as CoinJoin and structured transfers called peeling chains were used, but investigators were able to demix flows and find clustered withdrawals.
TRM Labs [https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement] says actors exploited weak master passwords from the 2022 LastPass breach to decrypt vaults and steal crypto through late 2025. The firm cites repeated interactions with Russia‑associated infrastructure and the use of Russian exchanges as off‑ramps, linking the activity to Russian cybercriminal networks.
The breach exposed encrypted password vaults that contained credentials, private keys, and seed phrases. The company warned at the time that attackers could use brute‑force methods to guess master passwords and decrypt vaults offline; investigators report those techniques were applied over multiple years.
TRM traced more than $35 million in stolen assets. About $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025, and roughly $7 million was tied to a wave seen in September 2025. Funds flowed through services including Cryptomixer.io and were off‑ramped via Cryptex and Audia6. The U.S. Treasury sanctioned Cryptex in September 2024 for handling illicit proceeds.
Investigators reported they demixed CoinJoin transactions to reveal clustered withdrawals and peeling chains that funneled mixed Bitcoin into exchanges. Define: CoinJoin — a transaction technique that combines payments from multiple users to obscure origins. Define: Peeling chain — a sequence of small transfers used to siphon funds.
“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the firm said. “As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.”
Regulators fined LastPass $1.6 million earlier in December for insufficient security measures. The report highlights the role of operational patterns, infrastructure reuse, and high‑risk exchanges in linking the thefts to known criminal networks and enabling enforcement.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Institutions Squeeze Retail as XRP Faces Worst Period & 2026
- NFT Market Falls to $2.5B in December – 72% Drop amid slumps
- CISA Adds Digiever DS-2105 Pro Flaw to KEV Amid Attacks Now!
- China’s Yuan Surge: Africa, BRICS Erode Dollar Dominance Now
- US Drives Bitcoin ETF Outflows Into Christmas; Hope Remains.
