TRM Traces Stolen Crypto From 2022 LastPass Breach – On-Chain Indicators Suggest Russian Cybercriminal Involvement

Key takeaways

TRM identified Russian cybercriminal infrastructure at various points in the laundering pipeline linked to the LastPass breach. Unmixing revealed behavioral continuity – despite CoinJoin usage, TRM analysts linked pre- and post-mix activity to the same actors. Laundered BTC flowed through high-risk Russian exchanges Cryptex and under Audia license. ecosystems and the decreasing efficiency of mixing.

{{horizontal line}}

In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of approximately 30 million customer vaults – encrypted containers containing users’ most sensitive digital credentials, including crypto-private keys and seed phrases. Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. This created a long-tail risk for more than 25 million users worldwide: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 hack into a multi-year window for attackers to silently crack passwords and drain assets over time.

New waves of wallet drains surfaced during 2024 and 2025, extending the impact of the breach far beyond its initial disclosure. By analyzing a recent batch of these drains, TRM analysts were able to trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat exits — with one of them receiving LastPass-linked funds as recently as October.

These findings provide a clear on-chain view of how the stolen assets are moved and monetized, helping to illuminate the pathways and infrastructure that support one of the most consequential crimes of faith of the past decade. Based on the totality of evidence in the chain – including repeated interaction with Russia-associated infrastructure, continuity of control over pre- and post-mix activity, and the consistent use of high-risk Russian exchanges as exits – TRM assesses that the activity is consistent with involvement by Russian cybercriminal actors.

Analysis of these thefts reveals two consistent indicators that point to possible Russian cybercrime involvement.

First, stolen funds were repeatedly laundered through infrastructure commonly associated with Russian cybercriminal ecosystems, including on- and off-ramps historically used by Russia-based threat actors. Second, intelligence related to the wallets interacting with mixers both before and after the mixing and washing process indicated operational ties to Russia, suggesting continuity of control rather than downstream reuse by unrelated actors.

While definitive attribution of the original intrusion cannot yet be confirmed, these signals, combined with TRM’s ability to demix activity at scale, highlight both the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the declining effectiveness of commingling as a reliable means of obfuscation.

Which revealed unmixing

TRM identified a consistent on-chain signature across the thefts: stolen Bitcoin keys were imported into the same wallet software, producing shared transaction characteristics such as SegWit usage and Replace-by-Fee. Non-Bitcoin assets were quickly converted into Bitcoin via instant exchange services, after which funds were transferred to single-use addresses and deposited into Wasabi Wallet. Using this pattern, TRM estimates that over USD 28 million worth of cryptocurrencies were stolen, converted to Bitcoin and laundered by Wasabi in late 2024 and early 2025.

Rather than trying to disentangle individual thefts in isolation, TRM analysts analyzed the activity as a coordinated campaign and identified clusters of Wasabi deposits and withdrawals over time. Using proprietary unmixing techniques, analysts matched the hackers’ deposits to a specific withdrawal group whose total value and timing closely matched the inflows, an alignment statistically unlikely to be coincidental.

Blockchain fingerprints observed before commingling, combined with intelligence related to wallets after the commingling process, consistently pointed to Russia-based operational control. The continuity across premix and postmix stages strengthens confidence that the laundering activity was carried out by actors within, or closely linked to, the Russian cybercrime ecosystem.

Early Wasabi withdrawals occurred within days of the initial wallet drain, suggesting that the attackers themselves were responsible for the initial CoinJoin activity. Taken together, these findings demonstrate both the declining reliability of obfuscation as an obfuscation technique and the central role of decoupling in revealing the structure and geography of large-scale illicit campaigns.

Russian exits as a reinforcing signal

Analysis of LastPass-linked laundering activity reveals two distinct phases that both converged on Russian exchanges. In an earlier phase after the initial exploit, stolen funds were sent by the now-defunct Cryptomixer.io and routed via Cryptex, a Russia-based exchange approved by OFAC in 2024. In a subsequent wave identified in September 2025, TRM analysts tracked approximately USD 7 million in additional stolen Wallets funds, with Wasabi wallets eventually flowing to another Russian exchange linked to cybercriminal activity.

Applying the same unmixing methodology across both time periods, TRM identified consistent laundering patterns, including clustered withdrawals and shellchains that fed mixed Bitcoin into these exchanges. The repeated use of Russian exchanges at the exit stage, combined with intelligence indicating Russia-based operational control both before and after mixing, suggests continuity in the laundering infrastructure rather than isolated or opportunistic use. Together, these findings indicate alignment with a persistent Russian cybercriminal ecosystem across multiple phases of the LastPass-related activity.

Why the Russian connection matters

The significance of likely Russian involvement extends beyond this single case. Russian high-risk exchanges and money laundering services have repeatedly served as critical exit points for globally distributed ransomware groups, sanctions evaders and other cybercriminal networks. Their role in the LastPass laundry pipeline underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressures increase elsewhere.

This case also highlights how mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure and geographic ecosystems over time. Demixing allowed TRM to move beyond individual transactions and reveal the broader operational architecture, including where illicit value ultimately converges.

have

{{horizontal line}}

Frequently Asked Questions (Frequently Asked Questions)

1. What happened in the LastPass breach?

In 2022, a threat actor gained access to encrypted vault data stored by LastPass. As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later—resulting in wallet drains as recent as late 2025.

2. Why is Russian involvement suspected?

TRM observed two consistent signals:

Pre- and post-mix wallet intelligence pointed to the same operator using Russian infrastructure. Exits included several Russia-based exchanges, including one previously sanctioned for facilitating ransomware laundering.

3. What is demixing, and how has it helped?

Demixing refers to the process of parsing mixer (eg CoinJoin) activity to reassociate inputs and outputs at a group level. TRM disentangled Wasabi Wallet activity by analyzing:

Behavior patterns (e.g. wallet software features, transaction formatting) Timing and amounts Destination addresses with known ties to illicit ecosystems

This enabled linkage across waves of theft and over time – exposing centralized was control.

4. How much crypto was stolen and laundered?

TRM has tracked more than USD 35 million, but this is probably only a fraction of the full picture:

USD 28 million unblended from 2024-early 2025 flows USD 7 million from a September 2025 wave linked to additional Wasabi use

5. Why is this still happening three years later?

Many affected LastPass users failed to change or secure master passwords, and their vaults still contained private keys. As threat actors brute-force vaults over time, slow-drip wallet drains have become a recurring pattern.

6. What makes this case important?

This is a clear example of how:

Mixers do not provide true anonymity when reusing infrastructure. Exit infrastructure remains the best attribution signal Illegal networks adapt but don’t disappear – when one service is approved, another emerges

7. How does TRM help?

TRM empowers analysts and investigators to:

Trace complex money laundering campaigns across years and chains Demix CoinEncrypt transactions at scale. Map infrastructure reuse to known threat actor ecosystems Surface attribution signals even when using mixers