Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

In a chilling reminder of how cyber threats can linger for years, the LastPass 2022 breach has fueled a prolonged campaign of cryptocurrency thefts, with attackers siphoning off over $35 million in digital assets as recently as late 2025. Blockchain intelligence experts at TRM Labs have uncovered this disturbing pattern, linking the stolen funds to Russian cybercriminals who exploited weak master passwords to crack open encrypted vaults.

What Was the LastPass Breach?

Back in 2022, LastPass, one of the most popular password managers, fell victim to a sophisticated hack. Attackers gained access to customers’ encrypted password vaults—digital safes containing login credentials, website URLs, and crucially for crypto users, private keys and seed phrases for cryptocurrency wallets.

While the vaults were encrypted, they weren’t invincible. LastPass warned users at the time that hackers could use brute-force attacks to guess master passwords, especially weak ones like “password123” or simple variations. Fast-forward to today, and TRM Labs’ investigation confirms those fears were well-founded.

“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time.”

The breach’s impact didn’t end in 2022. As users neglected to update their master passwords or enhance security, cybercriminals patiently worked in the shadows, cracking vaults years later and emptying crypto wallets.

TRM Labs Traces $35 Million in Stolen Crypto

TRM Labs, a leader in blockchain forensics, pieced together the thefts using advanced on-chain analysis. Here’s what they found:

• $28 million in assets converted to Bitcoin and laundered through Wasabi Wallet between late 2024 and early 2025.
• Another $7 million tied to a fresh wave of thefts in September 2025.
• Funds routed via mixers like Cryptomixer.io and CoinJoin techniques to obscure trails.
• Off-ramped through high-risk Russian exchanges such as Cryptex and Audia6.

Cryptex, notably, was slapped with U.S. Treasury sanctions in September 2024 after receiving over $51.2 million from ransomware attacks. Despite sophisticated mixing, TRM Labs demixed the transactions by spotting patterns like clustered withdrawals and “peeling chains”—where small amounts are peeled off mixed funds to reveal connections.

Russian Cybercriminals: The Prime Suspects

Evidence strongly implicates Russian actors. TRM Labs cites:

1. Repeated interactions with Russia-linked infrastructure.
2. Continuity of wallet control before and after mixing.
3. Consistent use of Russian exchanges for cashing out illicit funds.

One exchange even received LastPass-linked funds as late as October 2025. Ari Redbord, TRM Labs’ global head of policy, emphasized: “This is a clear example of how a single breach can evolve into a multi-year theft campaign. Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.”

Russian high-risk exchanges remain hotspots for global cybercrime off-ramps, underscoring why tools like demixing and ecosystem analysis are vital for law enforcement.

LastPass Faces $1.6 Million Fine

The fallout continues. Earlier this month, the U.K.’s Information Commissioner’s Office (ICO) fined LastPass $1.6 million for inadequate security measures that enabled the breach. Regulators criticized the company for not implementing robust enough protections, highlighting a broader industry need for stronger safeguards in password managers.

Why Weak Master Passwords Are a Crypto Killer

Password managers like LastPass rely on a single master password to encrypt everything. If it’s weak—short, common words, no special characters—brute-force tools can crack it offline without alerting anyone.

For crypto users, this is catastrophic. Private keys and seed phrases grant full wallet access. Once decrypted, thieves transfer funds silently, often in small batches to avoid detection.

Key Insight: The average brute-force attack can guess millions of passwords per second on modern hardware. A 12-character passphrase with mixed case, numbers, and symbols takes years to crack—use that as your benchmark.

Lessons for Crypto Users: Protect Yourself Now

This saga offers critical takeaways to safeguard your assets:

• Use a strong, unique master password: At least 16 characters, passphrase-style (e.g., “correct horse battery staple” + numbers).
• Enable multi-factor authentication (MFA): Even on your password manager.
• Rotate credentials regularly: Change master passwords and crypto seed phrases post-breach news.
• Opt for hardware wallets: Keep private keys offline—don’t store them in software vaults.
• Monitor on-chain activity: Tools like blockchain explorers or services from TRM Labs can alert you to suspicious transfers.
• Avoid risky exchanges: Steer clear of sanctioned platforms for withdrawals.

Pro Tip: Consider migrating to password managers with zero-knowledge architecture and audited security, and always pair them with hardware security modules for high-value crypto holdings.

The Bigger Picture: Evolving Cyber Threats in Crypto

The exemplifies how initial hacks morph into long-tail risks. Cybercriminals now play the waiting game, exploiting human error over time. In crypto, where assets are bearer instruments (who holds the key owns the funds), this demands vigilance.

Blockchain forensics is closing the gap. Firms like TRM Labs use AI-driven pattern recognition to unmask hidden trails, aiding sanctions and recoveries. Yet, as agentic AI accelerates attacks, defenses must evolve with zero-trust models and real-time monitoring.

Redbord warns: “Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”

Conclusion: Don’t Let History Repeat

The wasn’t a one-off—it’s a multi-year heist exposing vulnerabilities in password security and crypto custody. Over $35 million stolen, Russian links confirmed, and lessons for all. Act now: Strengthen your master password, diversify storage, and stay informed on blockchain threats.

Crypto’s promise of financial freedom hinges on security. In a world of persistent hackers, the best defense is proactive protection. What’s your master password strength? Test it today and sleep better tonight.

Stay ahead of crypto security threats—subscribe for the latest insights.

Discuss this news on our Telegram Community. Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Disclaimer: Blockmanity is a news portal and does not provide any financial advice. Blockmanity's role is to inform the cryptocurrency and blockchain community about what's going on in this space. Please do your own due diligence before making any investment. Blockmanity won't be responsible for any loss of funds.