A data breach that hit password manager LastPass in 2022 is still generating financial fallout, with millions of dollars in cryptocurrency stolen as recently as late 2025, according to a new report from blockchain intelligence firm TRM Labs.
The findings reveal that cybercriminals have been exploiting encrypted password vault backups taken during the breach, cracking accounts protected by weak master passwords and quietly draining digital assets over several years. Investigators say the activity shows strong links to Russian cybercrime networks.
Weak Passwords Enabled Long-Term Exploitation
LastPass confirmed in 2022 that attackers accessed sensitive customer data, including encrypted vault backups containing login credentials and, in some cases, cryptocurrency private keys and recovery phrases. Although the data was encrypted, security experts warned at the time that vaults protected by weak master passwords could eventually be cracked through offline brute-force attacks.
TRM Labs now says that scenario has played out.
“Vaults secured with weak master passwords essentially turned a single breach into a multi-year opportunity for theft,” the firm said. “As long as users failed to update passwords or strengthen security, attackers could continue unlocking vaults and draining wallets years later.”
According to the report, some of the most recent thefts linked to the breach occurred in late 2025.
Millions in Stolen Crypto Traced
TRM Labs estimates that more than $35 million in digital assets has been siphoned through these attacks so far. Of that total:
- Around $28 million was converted into Bitcoin and laundered between late 2024 and early 2025
- An additional $7 million was linked to a later wave of thefts detected in September 2025
Investigators say the stolen funds were routed through cryptocurrency mixers, including Cryptomixer.io, and later sent to exchanges with a history of illicit activity.
Evidence Points to Russian Cybercriminal Networks
The analysis found repeated connections to infrastructure and exchanges commonly associated with Russian cybercrime. Two exchanges in particular—Cryptex and Audia6—were identified as key off-ramps used to convert stolen cryptocurrency into cash.
Cryptex was sanctioned by the U.S. Treasury Department in 2024 for allegedly handling tens of millions of dollars tied to ransomware and other criminal operations.
Despite efforts to conceal the money trail using privacy-enhancing techniques such as CoinJoin, TRM Labs said it was able to reconstruct transaction flows by identifying behavioral patterns, clustered withdrawals, and reuse of infrastructure.
“Even when mixers are involved, consistent operational behavior can expose who’s behind the activity,” said Ari Redbord, TRM Labs’ global head of policy. “This case highlights why advanced blockchain analysis is increasingly critical for attribution and enforcement.”
Regulatory and Industry Fallout
The breach continues to carry consequences for LastPass. Earlier this month, the company was fined £1.6 million (about $2 million) by the U.K. Information Commissioner’s Office for failing to implement adequate security controls before the 2022 incident.
Cybersecurity experts say the case underscores the long-term risks of weak password practices and the lasting damage a single breach can cause—especially when sensitive financial credentials are involved.
A Cautionary Tale for Users
TRM Labs describes the incident as a clear example of how delayed security hygiene can amplify harm.
“This wasn’t a one-time theft,” the firm said. “It was a slow, persistent campaign that succeeded because compromised data remained valuable for years.”
Security professionals continue to urge users of password managers to choose strong, unique master passwords, enable multifactor authentication, and rotate sensitive credentials—especially for cryptocurrency accounts.
