TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement

Key takeaways

• TRM identified Russian cybercriminal infrastructure at multiple points in the laundering pipeline linked to the LastPass breach.
• Demixing revealed behavioral continuity – despite CoinJoin use, TRM analysts linked pre-and post-mix activity to the same actors.
• Laundered BTC flowed through high-risk Russian exchanges Cryptex and Audia6.
• This case underscores both the operational resilience of cybercrime ecosystems and the diminishing effectiveness of mixing.

{{horizontal-line}}

In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of roughly 30 million customer vaults — encrypted containers holding users’ most sensitive digital credentials, including crypto private keys and seed phrases. Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. That created a long-tail risk for more than 25 million users globally: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time. 

New waves of wallet drains have surfaced throughout 2024 and 2025, extending the breach’s impact far beyond its initial disclosure. By analyzing a recent cluster of these drains, TRM analysts were able to trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October.

These findings offer a clear on-chain view of how the stolen assets are being moved and monetized, helping illuminate the pathways and infrastructure supporting one of the most consequential credential breaches of the last decade. Based on the totality of on-chain evidence — including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps — TRM assesses that the activity is consistent with involvement by Russian cybercriminal actors.

Analysis of these thefts reveals two consistent indicators that point toward possible Russian cybercrime involvement. 

• First, stolen funds were repeatedly laundered through infrastructure commonly associated with Russian cybercriminal ecosystems, including off-ramps historically used by Russia-based threat actors. 
• Second, intelligence linked to the wallets interacting with mixers both before and after the mixing and laundering process indicated operational ties to Russia, suggesting continuity of control rather than downstream reuse by unrelated actors. 

While definitive attribution of the original intrusion cannot yet be confirmed, these signals, combined with TRM’s ability to demix activity at scale, highlight both the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the diminishing effectiveness of mixing as a reliable means of obfuscation.

What demixing revealed

TRM identified a consistent on-chain signature across the thefts: stolen Bitcoin keys were imported into the same wallet software, producing shared transaction traits such as SegWit usage and Replace-by-Fee. Non-Bitcoin assets were quickly converted into Bitcoin via instant swap services, after which funds were transferred into single-use addresses and deposited into Wasabi Wallet. Using this pattern, TRM estimates that more than USD 28 million in cryptocurrency was stolen, converted to Bitcoin, and laundered through Wasabi in late 2024 and early 2025.

Rather than attempting to demix individual thefts in isolation, TRM analysts analyzed the activity as a coordinated campaign, identifying clusters of Wasabi deposits and withdrawals over time. Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental.

Blockchain fingerprints observed prior to mixing, combined with intelligence associated with wallets after the mixing process, consistently pointed to Russia-based operational control. The continuity across pre-mix and post-mix stages strengthens confidence that the laundering activity was conducted by actors operating within, or closely tied to, the Russian cybercrime ecosystem.

Early Wasabi withdrawals occurred within days of the initial wallet drains, suggesting that the attackers themselves were responsible for the initial CoinJoin activity. Taken together, these findings demonstrate both the diminishing reliability of mixing as an obfuscation technique and the central role of demixing in revealing the structure and geography of large-scale illicit campaigns.

Russian off-ramps as a reinforcing signal

Analysis of LastPass-linked laundering activity reveals two distinct phases that both converged on Russian exchanges. In an earlier phase following the initial exploitation, stolen funds were routed through the now defunct Cryptomixer.io and off-ramped via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024. In a subsequent wave identified in September 2025, TRM analysts traced approximately USD 7 million in additional stolen funds through Wasabi Wallet, with withdrawals ultimately flowing to Audi6, another Russian exchange associated with cybercriminal activity.

Applying the same demixing methodology across both periods, TRM identified consistent laundering patterns, including clustered withdrawals and peeling chains that funneled mixed Bitcoin into these exchanges. The repeated use of Russian exchanges at the off-ramp stage, combined with intelligence indicating Russia-based operational control both before and after mixing, suggests continuity in the laundering infrastructure rather than isolated or opportunistic usage. Together, these findings point to alignment with a persistent Russian cybercriminal ecosystem across multiple phases of the LastPass-related activity.

Why the Russian connection matters

The significance of likely Russian involvement extends beyond this single case. Russian high-risk exchanges and laundering services have repeatedly served as critical off-ramps for globally dispersed ransomware groups, sanctions evaders, and other cybercriminal networks. Their role in the LastPass laundering pipeline underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressure increases elsewhere.

This case also highlights how mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure and geographic ecosystems over time. Demixing allowed TRM to move beyond individual transactions and reveal the broader operational architecture, including where illicit value ultimately converges.

‍

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What happened in the LastPass breach?

In 2022, a threat actor gained access to encrypted vault data stored by LastPass. As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later — leading to wallet drains as recently as late 2025.

2. Why is Russian involvement suspected?

TRM observed two consistent signals:

• Pre and post-mix wallet intelligence pointed to the same operator using Russian infrastructure.
• Off-ramps included multiple Russia-based exchanges, including one previously sanctioned for facilitating ransomware laundering.

3. What is demixing, and how did it help?

Demixing refers to the process of analyzing mixer (e.g. CoinJoin) activity to re-associate inputs and outputs at a cluster level. TRM demixed Wasabi Wallet activity by analyzing:

• Behavioral patterns (e.g. wallet software traits, transaction formatting)
• Timing and amounts
• Destination addresses with known ties to illicit ecosystems

This enabled linkage across waves of theft and over time — exposing centralized laundering control.

4. How much crypto was stolen and laundered?

TRM traced over USD 35 million, but this is likely only a fraction of the full picture:

• USD 28 million demixed from 2024–early 2025 flows
• USD 7 million from a September 2025 wave linked to additional Wasabi usage

5. Why is this still happening three years later?

Many affected LastPass users failed to change or secure master passwords, and their vaults still contained private keys. As threat actors brute-force vaults over time, slow-drip wallet draining has become a recurring pattern.

6. What makes this case important?

This is a clear example of how:

• Mixers don't provide true anonymity when infrastructure is reused
• Off-ramp infrastructure remains the best attribution signal
• Illicit networks adapt, but don’t disappear — when one service is sanctioned, another emerges

7. How does TRM help?

TRM empowers analysts and investigators to:

• Trace complex laundering campaigns across years and chains
• Demix CoinJoin transactions at scale
• Map infrastructure reuse to known threat actor ecosystems
• Surface attribution signals even when mixers are used