Recent findings from TRM Labs reveal that encrypted vault backups compromised in the 2022 LastPass data breach have been exploited by cybercriminals to access crypto assets, particularly due to the use of weak master passwords. This criminal activity has reportedly persisted into late 2025, raising alarms in cybersecurity circles.
Investigations indicate potential involvement of Russian cybercriminal elements, with substantial movement of funds traced to Russian exchanges as recently as October. TRM Labs specified that this conclusion stems from a thorough examination of evidence, including repeated connections to Russian infra, consistent patterns of control over mixed assets, and the reliance on high-risk exchanges, which function as off-ramps for illicit financial activities.
In December 2022, LastPass experienced a significant breach that allowed unauthorized access to sensitive user information, including encrypted password vaults containing crucial data such as cryptocurrency private keys and seed phrases. This long-standing incident has prompted renewed scrutiny into the company’s security protocols, particularly given the U.K. Information Commissioner’s Office (ICO) recently levied a fine of $1.6 million against LastPass for inadequate security measures.
In light of the breach, the company had previously warned that attackers could deploy brute-force techniques to compromise weak master passwords and decrypt stolen vaults. Recent data from TRM Labs corroborates this, highlighting a troubling trend where attackers exploited these vulnerabilities to siphon digital assets over several years.
TRM Labs articulates that any vault secured by a weak master password remains vulnerable to offline decryption, potentially extending the window of opportunity for forgery and asset extraction. The findings illustrate a dire situation for those who neglected to update their passwords or enhance their vault security measures; reports indicate substantial losses occurring as late as 2025.
The links between the stolen cryptocurrency and Russian operatives can be traced back to notorious exchanges integrated into the Russian cybercriminal ecosystem. A total of over $35 million in stolen digital assets has been accounted for, with approximately $28 million converted to Bitcoin and laundered via platforms like Wasabi Wallet, while another $7 million resurfaced through activities detected in September 2025.
Funds from the breach were traced through Cryptomixer.io and subsequently laundered via Cryptex and Audia6, two Russian exchanges historically tied to illegitimate transactions. Cryptex, for instance, faced U.S. sanctions in September 2024 for involvement in the receipt of ransomware-derived funds exceeding $51.2 million.
Despite the sophisticated techniques employed by the criminals, including CoinJoin methods aimed at obscuring financial trails, TRM Labs successfully dismantled the laundering network. The complex withdrawal patterns and observable operational behaviors enabled them to track the stolen funds back to their origins.
Ari Redbord, TRM Labs’ global head of policy, emphasized the ramifications of the LastPass breach, illustrating how a singular event can spiral into an extensive, multifaceted theft campaign. The case underscores the continuing reliance of cybercriminals on high-risk exchanges as critical off-ramps and highlights the importance of advanced investigative techniques in addressing these ongoing cyber threats.
