$35M Crypto Theft Linked to LastPass Breach

A significant cryptocurrency theft exceeding $35 million has been directly linked to the 2022 breach of the password manager LastPass, according to blockchain intelligence firm TRM Labs. The company’s analysis reveals a prolonged campaign where hackers systematically drained digital wallets over several years, exploiting stolen password vault backups. This incident highlights the long-term dangers of data breaches involving sensitive credential storage, where stolen information can be weaponized long after the initial hack occurs.

TRM Labs traced the thefts to Russian cybercriminals who leveraged the exposed backups of approximately 30 million customer password vaults. The firm described this as creating a “long-tail risk” for users, particularly those who relied on weak master passwords. Any vault secured by a feeble master password became susceptible to offline decryption, transforming a single security incident into a multi-year opportunity for attackers to quietly crack passwords and siphon funds.

While acknowledging their findings likely represent only a portion of the total stolen assets, TRM identified two major phases of theft. From 2024 into early 2025, hackers stole an estimated $28 million. A subsequent wave in September 2025 netted an additional $7 million. Both campaigns ultimately funneled funds through Russian cryptocurrency exchanges and associated infrastructure.

The financial trails, though obscured using anonymization tools like CoinJoin, were unraveled by TRM’s investigators. “Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental,” the firm reported. Blockchain patterns observed before the mixing process, combined with intelligence on the destination wallets, consistently pointed to operational control based in Russia.

In an earlier phase, stolen cryptocurrency was routed through the now-defunct service Cryptomixer.io before being cashed out via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024. The more recent thefts in September 2025 saw approximately $7 million moved through Wasabi Wallet, with final withdrawals flowing to Audi6, another Russian exchange known for cybercriminal activity. Funds were reportedly being converted to traditional currency and withdrawn as recently as October 2025.

This extended “slow-drip wallet draining” campaign was made possible because many LastPass users did not change their master passwords following the breach, allowing hackers to brute-force the vaults over time. The episode serves as a critical reminder for individuals to employ strong, unique master passwords and enable multi-factor authentication (MFA) wherever possible. It also underscores the persistent threat posed by sophisticated cybercrime groups.

The repercussions of the 2022 breach continue for LastPass as well. In December 2025, the UK’s Information Commissioner’s Office (ICO) fined the company £1.2 million ($1.6 million) for security failures that compromised an estimated 1.6 million UK users. The regulator noted that master passwords were stored locally on user devices, which limited but did not eliminate the potential for threat actors to decrypt customer credentials.

(Source: InfoSecurity Magazine)