Blog Details

Blockchain investigation company TRM Labs says ongoing cryptocurrency thefts had been traced to the 2022 LastPass breach, with attackers draining wallets years after encrypted vaults were stolen and laundering the crypto by Russian exchanges.

In 2022, LastPass disclosed that attackers breached its systems by compromising a developer ambiance, stealing portions of the firm’s source code and proprietary technical knowledge.

In a later, but connected security incident, the hackers breached the cloud storage company GoTo the utilization of previously stolen credentials and stole LastPass database backups saved on the platform. For some prospects, these encrypted password vaults no longer handiest contained credentials, but also cryptocurrency pockets non-public keys and seed phrases.

While the vaults were encrypted, users with historical or reused grasp passwords were at likelihood of offline cracking, which is believed to had been ongoing for the explanation that breach.

“Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password,” warned LastPass after they disclosed the breach.

The hyperlink between the LastPass breaches and crypto thefts used to be extra corroborated by the U.S. Secret Service, which in 2025 seized better than $23 million in cryptocurrency and acknowledged attackers had obtained victims’ non-public keys by decrypting vault data stolen in a password manager breach. 

In court filings, agents acknowledged there used to be no proof the victims’ gadgets had been compromised by phishing or malware, and that they believed the theft used to be linked to the stolen password vaults.

Data breach Crypto thefts linked to LastPass breach

In a document printed final week, TRM acknowledged that ongoing cryptocurrency theft assaults had been traced to the abuse of the encrypted LastPass password vaults stolen in 2022.

In preference to the pockets being drained at this time after a breach, the thefts were in waves months or years later, illustrating how the attackers progressively decrypting vaults and extracting saved credentials.

The affected wallets were drained the utilization of identical transactions methods, with no reports of a peaceful assault, indicating the attacker possessed the personal keys before the thefts.

“The linkage in the report is not based on direct attribution to individual LastPass accounts, but on correlating downstream on-chain activity with the known impact pattern of the 2022 breach,” TRM informed BleepingComputer.

“That created a scenario in which wallet drains would occur well after the original breach, rather than immediately, and in distinct waves.”

TRM informed BleepingComputer its investigation used to be in the initiating in response to a diminutive different of reports, including submissions to Chainabuse, in which users identified the LastPass breach as the style their wallets were stolen.

Researchers expanded their investigation by identifying cryptocurrency transaction behavior during other cases, linking the thefts to the LastPass data theft campaign.

TRM informed BleepingComputer that a truly primary phase of their learn used to be the flexibility to imprint stolen funds even after they were blended the utilization of Wasabi Wallet’s CoinJoin characteristic.

CoinJoin is a Bitcoin privateness technique that combines transactions from a pair of users into a single transaction, making it extra appealing to fetch out which inputs correspond to which outputs.

Wasabi Wallet comprises CoinJoin as a built-in characteristic, permitting users to robotically mix their Bitcoin with others to obfuscate transactions with out relying on a mixing carrier.

After draining wallets, attackers reworked stolen crypto to Bitcoin, routed them by Wasabi Wallet, and tried to hide their tracks the utilization of CoinJoin transactions.

Nonetheless, TRM says it used to be ready to “demix” the cryptocurrency despatched by CoinJoin transactions by analyzing behavioral characteristics, equivalent to transaction structure, timing, and pockets configuration picks.

By treating the thefts as a coordinated campaign rather than particular person compromises, TRM used to be ready to study groups of Wasabi deposits with withdrawal patterns that matched the crypto theft assaults by the LastPass breach.

Early withdrawals after the pockets drains extra demonstrate the same likelihood actors who stole the funds were unhurried the blending process.

The notify of this kind, TRM estimates that better than $28 million in cryptocurrency used to be stolen and laundered by Wasabi Wallet in leisurely 2024 and early 2025. A extra $7 million used to be tied to a later wave of assaults in September 2025. 

TRM says the funds were many cases cashed out by the same Russian-linked exchanges, including Cryptex and Audi6, extra indicating that the same likelihood actors were unhurried these breaches.