The blockchain intelligence firm TRM Labs reports that encrypted vault backups taken during the 2022 breach of LastPass remain a source of cryptocurrency theft, as attackers continue decrypting vaults protected by weak master passwords, with activity extending into 2025.
How The 2022 Breach Created A Multi-Year Risk
TRM Labs said hackers accessed encrypted backups of roughly 30 million LastPass vaults during the 2022 incident. The vaults contained sensitive credentials, including cryptocurrency private keys. According to the firm, the encryption itself was not the primary weakness. Instead, users who relied on weak master passwords left their vaults vulnerable to offline cracking, allowing attackers to decrypt data long after the initial breach.
TRM analysts described this exposure as a multi-year risk rather than a one-time compromise. Once decrypted, attackers could access stored wallet keys and credentials at their own pace, enabling delayed theft that was not immediately visible after the breach became public.
Ongoing Wallet Drains And Laundering Activity Through 2025
The firm reported that wallet draining linked to the stolen LastPass data continued through 2024 and into 2025. TRM traced more than $28 million in cryptocurrency losses associated with the breach. The stolen assets were converted into Bitcoin and laundered during 2024 and 2025 using Wasabi Wallet.
Analysts identified consistent on-chain behaviors across the transactions. These included SegWit usage, Replace-by-Fee transactions, single-use addresses, and coordinated clusters of deposits and withdrawals. TRM said the repetition of these patterns over time pointed to continuity of wallet control rather than isolated or opportunistic thefts.
Indicators Of Russian Cybercrime Infrastructure
TRM reported repeated routing of funds through mixers and off-ramps associated with Russian cybercrime activity. Stolen funds were repeatedly cashed out through Russia-based exchanges, including Cryptex and Audi6. The firm also identified the use of infrastructure commonly associated with Russian cybercriminal operations.
While TRM said it cannot definitively attribute the original LastPass intrusion, it noted that the laundering phase shows alignment with a broader Russian cybercriminal ecosystem. The report stated that high-risk Russian exchanges and laundering services have repeatedly served as off-ramps for ransomware groups, sanctions evaders, and other illicit networks. In the LastPass case, TRM said these services again played a central role, even as enforcement pressure has increased in other regions.
Regulatory scrutiny linked to the breach has continued. Earlier this month, the UK Information Commissioner’s Office fined LastPass £1.2 million, about $1.6 million, citing inadequate security measures that failed to prevent the 2022 breach.
Featured image credits: ctrl.blog
For more stories like it, click the +Follow button at the top of this page to follow us.