LastPass Hack: 35 million in crypto laundered by Russian hackers

According to an in-depth analysis published by the blockchain intelligence company TRM Labs, a coordinated group of Russian cyber criminals is allegedly responsible for the laundering of more than USD 35 million in cryptocurrency. These funds were systematically taken from LastPass users, following the notorious systems breach that occurred in 2022.

The report highlights that the attack was not an isolated event, but a years-long campaign to drain wallets. Despite the time elapsed since the initial breach, the researchers confirmed that the attackers continued to withdraw assets from the compromised 'vaults' until the end of 2025.

The money trail: from mixers to Russian platforms

The TRM Labs technical analysis unveiled a sophisticated money-washing scheme. The criminals followed a precise protocol: initially, non-Bitcoin assets were converted into Bitcoin through instant exchange services. Subsequently, the funds were fed into mixing services such as Wasabi Wallet and CoinJoin.

These tools are designed to 'mix' the transactions of different users, making it theoretically impossible to trace the origin and final destination of the funds. However, in this case, the privacy technology showed its limits.

The turning point in the investigations: 'De-mixing"

The analysts at TRM Labs were able to perform a 'de-mixing' operation by decrypting the movements through so-called 'behavioral continuity analysis'. The experts identified a 'constant on-chain signature' that allowed them to link the various thefts to a single organised group.

By tracing specific fingerprints - such as how the wallet software imported private keys - the investigators 'unravelled' the mixing process. This made it possible to trace the flow of money to its final deposit on exchanges based in Russia.

Illicit infrastructures and international sanctions

The stolen money landed on platforms infamous to international authorities. Some $7 million was traced to Audi6, an exchange service operating in the Russian cybercrime ecosystem. Another substantial portion of the funds flowed through Cryptex, an exchange currently sanctioned by the US Office of Foreign Assets Control (OFAC) for its role in facilitating illicit transactions.

An analysis of the money laundering activities linked to LastPass reveals two distinct phases that both flowed to Russian exchanges. In an initial stage, following the original exploitation, stolen funds were routed through the now defunct Cryptomixer.io and converted to fiat currency via Cryptex, a Russian-based exchange sanctioned by OFAC in 2024, as stated by TRM in a report.

TRM Traces Stolen Crypto from 2022 LastPass Breach - On-Chain Indicators Suggest Russian Cybercriminal Involvement | TRM Blog

TRM traced LastPass-linked Bitcoin laundering through mixers to high-risk Russian exchanges, showing how demixing exposes infrastructure reuse and limits mixer anonymity.

TRM BlogTRM Team

The report points out that the wallets that interacted with the mixers showed "operational links" to Russia both before and after the laundering process. This detail suggests that the hackers were not simply using local infrastructure, but were operating directly from the region.

A wake-up call for global security

This story highlights the central role of Russian crypto platforms in supporting cybercrime on a global scale. By providing liquidity and exit routes (off-ramps) for stolen digital assets, these exchanges enable criminal groups to monetise data breaches while evading international law enforcement.

For LastPass users and the entire crypto community, the message is clear: past vulnerabilities can generate threats that drag on for years, making constant vigilance and proactive security measures essential.