A major data breach at a leading password management provider in 2022 has enabled hackers to drain victims’ digital wallets of millions in crypto, according to TRM Labs.
The blockchain analytics company said it traced several waves of cryptocurrency theft in the months and years following the LastPass breach, attributing the efforts to Russian cybercriminals.
Backups of around 30 million customer password vaults were exposed in the incident, creating what TRM Labs described as a “long-tail risk” for more than 25 million users.
“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” it warned.
Read more on LastPass breach: LastPass Hackers Stole Source Code
Although it admitted this was likely “only a fraction” of the full amount stolen, TRM claimed to have traced $28m stolen from 2024 to early 2025, and then a further $7m taken in September 2025.
Both phases converged on Russian cryptocurrency exchanges and infrastructure.
“In an earlier phase following the initial exploitation, stolen funds were routed through the now defunct Cryptomixer.io and off-ramped via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024,” TRM explained.
“In a subsequent wave identified in September 2025, TRM analysts traced approximately $7m in additional stolen funds through Wasabi Wallet, with withdrawals ultimately flowing to Audi6, another Russian exchange associated with cybercriminal activity.”
Funds were being converted to fiat currency and withdrawn via the exchange as recently as October 2025, the firm added.
Although the actors responsible used anonymization service CoinJoin to obfuscate the money trail, TRM was able to pick up the scent using demixing.
“Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental,” it said.
“Blockchain fingerprints observed prior to mixing, combined with intelligence associated with wallets after the mixing process, consistently pointed to Russia-based operational control.”
Lessons Learned
For digital wallet users, the incident is another reminder of the need for multi-factor authentication (MFA) and swift action following any potential password compromise.
“Slow-drip wallet draining” over the past three years was enabled by brute-forcing of password vaults, because LastPass users failed to change their master passwords.
The incident also underscores the persistent threats posed by Russian cybercrime actors.
In December 2025, LastPass was fined £1.2m ($1.6m) by the UK’s Information Commissioner’s Office (ICO) for security failings that led to the breach, which impacted an estimated 1.6 million UK users.
At the time, the regulator said that master passwords were stored locally on customer devices, limiting the potential for threat actors to decrypt customer credentials.
Image credit: Maor_Winetrob / Shutterstock.com
