TRM Labs connects LastPass breach thefts to Russian cybercrime activity

TRM analysts reported that a long-running theft campaign tied to the encrypted vault backups stolen during the 2022 compromise continued to surface through 2024 and 2025, with behavior and movements of the stolen funds indicating common control and repeated interaction with high-risk platforms often associated with Russian threat actors.

In 2022 hackers accessed encrypted vault backups from LastPass, a widely used password manager, extracting millions of encrypted credentials including private keys and seed phrases. Although the vaults were encrypted, attackers were able to attempt decryption offline; weak or unchanged master passwords allowed them to extract wallet access over years, leading to ongoing wallet drains as recently as late 2025.

TRM’s on-chain investigation linked more than $28 million in stolen assets converted to Bitcoin and passed through privacy tool Wasabi Wallet between late 2024 and early 2025, and an additional roughly $7 million tied to a subsequent wave detected in September 2025. The firm used behavioral continuity across pre- and post-mix transactions, such as consistent wallet software fingerprints and transaction patterns, to attribute these movements to the same actors.

The laundering paths of the funds frequently ended at Cryptex and Audi6, two exchanges identified as Russian-associated high-risk off-ramps where illicit assets are converted into fiat or other tokens. Cryptex, already sanctioned by the U.S. Treasury in late 2024 for handling ransomware-linked proceeds, continued to appear in the traced flows, underscoring the recurring use of known infrastructure in the laundering pipeline.

TRM analysts applied demixing techniques to peel apart the effects of mixer services like CoinJoin, allowing them to identify clusters of deposits and subsequent withdrawals with shared traits. These clusters aligned in timing and value with the known patterns of the LastPass-linked thefts, providing a robust on-chain link despite the use of obfuscation tools.

Analysts described two consistent indicators pointing to probable Russian cybercrime involvement: the repeated routing of stolen funds through infrastructure historically tied to Russian threat networks and wallet intelligence that remained consistent across multiple stages of the laundering process, indicating continuity of operational control rather than opportunistic use by unrelated parties.

Thomas Redbord, global head of policy at TRM Labs, said that the case demonstrates how persistent cybercriminal networks can exploit both longstanding breaches and gaps in user security practices, particularly when master passwords remain unchanged for years, giving attackers a prolonged window to extract assets.

LastPass is a password management service that stores encrypted credentials, including private keys and recovery phrases for crypto wallets. Stolen encrypted vault data does not immediately expose users’ assets, but offline brute-force attacks against weak master passwords can eventually yield critical access, enabling asset theft when attackers obtain the corresponding decrypted keys.

The company suffered a significant breach in 2022 after attackers accessed backups containing encrypted vault data. Regulators subsequently fined the company over its security practices, and cybersecurity warnings highlighted the risk that stolen data could be cracked over time if users did not rotate or strengthen master passwords.