LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

In 2022, LastPass experienced a significant hack that gave hackers access to its users' personal data. Bad actors have been able to exploit weak master passwords thanks to the encrypted vault backups that were taken from the 2022 data breach. Evidence suggests that Russian cybercriminals were involved in the activity; as recently as October, one of the Russian exchanges received funds connected to LastPass.

Between late 2024 and early 2025, $28 million of the $35 million in stolen digital assets were converted to Bitcoin and laundered through Wasabi Wallet. TRM Labs' analysis of the stolen funds revealed that they were routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges linked to illegal activity. money that has been stolen.

Despite using CoinJoin techniques to make it more difficult for external observers to trace the flow of funds, the company managed to demix the activity, revealing peeling chains and clustered withdrawals that directed mixed Bitcoin into the two exchanges. It's important to note that in September 2024, the U.S. Treasury Department sanctioned Cryptex for obtaining more than $51.2 million in illegal funds from ransomware attacks.

"This is a clear example of how a single breach can evolve into a multi-year theft campaign," stated TRM Labs' global head of policy Ari Redbord. "Russian high-risk exchanges are still vital conduits for international cybercrime. This example demonstrates why ecosystem-level analysis and demixing are now crucial instruments for attribution and enforcement," he continued.

The company also issued a warning at the time of the breach, stating that malicious actors might use brute-force methods to guess the master passwords and decrypt the stolen vault data.