This post was originally published on this site.
Blockchain investigators at TRM Labs have traced $35 million in cryptocurrency stolen from LastPass password manager users to Russian cybercriminal infrastructure.
The analysis reveals how attackers converted stolen digital assets through mixing services and eventually funneled them to high-risk Russian exchanges, providing a rare on-chain window into the monetization pipeline of one of the decade’s most significant credential breaches.
The LastPass Breach: A Long-Tail Threat
The 2022 LastPass intrusion exposed encrypted vaults belonging to roughly 30 million users. Although the vaults required master passwords to unlock, attackers downloaded them in bulk, creating a multi-year vulnerability.
Weak master passwords enabled offline decryption, turning a single incident into an extended window for credential theft.
Throughout 2024 and 2025, new waves of wallet drains confirmed that attackers were successfully compromising vault access and stealing cryptocurrency stored in users’ digital wallets.
TRM analysts identified a consistent pattern across the thefts. Stolen Bitcoin keys were imported into the same wallet software, resulting in shared transaction signatures, including SegWit usage.
Non-Bitcoin assets were rapidly converted to Bitcoin via instant swap services, then deposited into Wasabi Wallet, a privacy-focused mixing service designed to obscure transaction trails.
TRM estimates that more than $28 million in cryptocurrency was laundered through Wasabi in late 2024 and early 2025.
Rather than analyzing individual thefts in isolation, investigators examined the activity as a coordinated campaign.
Using proprietary demixing techniques, they matched hacker deposits to specific withdrawal clusters whose timing and aggregate value aligned too closely to be coincidental.
This methodology revealed behavioral continuity: despite CoinJoin mixing, the same actors controlled activity before and after obfuscation.
Two distinct laundering phases converged on Russian exchanges. In the first phase, stolen funds flowed through Cryptomixer.io and exited via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024.
A subsequent wave in September 2025 routed approximately $7 million through Wasabi Wallet, with withdrawals ultimately reaching Audi6, another Russian exchange linked to cybercriminal activity.
Consistent patterns emerged across both periods: clustered withdrawals and peeling chains funneled mixed Bitcoin into these exchanges.
This repeated reliance on Russian off-ramps, combined with on-chain evidence of Russia-based operational control, suggests coordination rather than isolated usage.
This investigation demonstrates two critical insights. First, mixing services provides diminishing protection when threat actors depend on consistent geographic infrastructure over time.
Demixing revealed the operational architecture beneath the obfuscation. Second, Russian financial infrastructure continues functioning as a systemic enabler of global cybercrime, facilitating ransomware groups, sanctions evaders, and other illicit networks.
The LastPass case illuminates how attackers monetize breach data and underscores the importance of blockchain intelligence in exposing the infrastructure supporting large-scale credential theft.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.