How long can hackers profit from a single breach? Years, it turns out. Blockchain investigation firm TRM Labs confirmed that ongoing cryptocurrency thefts trace directly to the 2022 LastPass breach — with attackers still draining wallets four years later through methodical vault cracking and money laundering.
The 2022 LastPass breach exposed encrypted password vaults containing not just credentials, but cryptocurrency private keys and seed phrases. While encryption protected the data initially, weak master passwords gave attackers an attack surface. Victims did not realize their wallets were at risk until their crypto disappeared.
TRM Labs’ investigation reveals a sobering reality: the LastPass breach represents a long-tail vulnerability. Attackers spend months or years cracking encrypted vaults offline. Once inside, they extract private keys and drain wallets methodically. The stolen funds then flow through cryptocurrency mixers like Wasabi Wallet and into Russian-linked exchanges. Over $35 million in cryptocurrency has been stolen and laundered since late 2024 through this single attack chain.
In 2022, attackers compromised LastPass developer systems and stole source code and technical documentation. The incident seemed contained at first, but the damage extended far deeper. Several months later, the same threat actors breached GoTo, a cloud storage firm, using credentials stolen during the initial LastPass compromise. This second breach provided access to LastPass database backups stored on GoTo’s platform.
LastPass vaults use encryption, but security depends on master password strength. Attackers can attempt offline cracking: they download the encrypted vault and try millions of password combinations locally without network detection. Users with weak or reused master passwords became vulnerable immediately. The LastPass breach exposed roughly 1.6 million users’ encrypted vaults, including crypto holdings.
TRM Labs discovered that once attackers crack a master password, they gain access to stored private keys and seed phrases. Many LastPass users stored cryptocurrency recovery information in their vaults for convenience. Attackers extract these keys and systematically drain associated wallets. The thefts occur months or years after the initial breach, making detection difficult.
TRM estimates over $28 million in cryptocurrency was stolen and laundered through Wasabi Wallet between late 2024 and early 2025. An additional $7 million was linked to thefts in September 2025. The U.S. Secret Service independently seized $23 million in crypto connected to the LastPass breach after court-authorized investigations confirmed victims’ accounts were compromised through vault data, not phishing or malware.
After draining wallets, attackers convert stolen cryptocurrency to Bitcoin and route funds through Wasabi Wallet’s CoinJoin mixing feature. CoinJoin combines multiple transactions into a single transaction to obscure which inputs correspond to which outputs. The technique aims to break the transaction trail and hide the theft’s origin. Stolen funds then moved to Russian-linked cryptocurrency exchanges including Cryptex and Audi6 for final conversion to cash.
The LastPass breach demonstrates that breach consequences extend far beyond initial disclosure. Attackers do not need to exploit wallets immediately. They can crack vaults gradually, extract keys over months or years, and drain funds when detection risk is low. This extended timeline defeats many incident response strategies that assume threats act quickly.
Users often store cryptocurrency recovery information (seed phrases and private keys) in password managers for backup purposes. This creates a critical vulnerability: password manager breach equals cryptocurrency loss. The LastPass breach exposed this design flaw. Security experts now recommend hardware wallets or offline key storage, not cloud-based vaults.
Services like Wasabi Wallet offer privacy features designed for legitimate use. But they also enable criminals to hide stolen funds. TRM Labs’ breakthrough was analyzing CoinJoin transactions as a coordinated campaign rather than individual thefts. This approach revealed the attackers’ patterns and operational control. It shows that even mixing services leave forensic traces when attackers operate at scale.
The cryptocurrency flow through Russian-linked exchanges demonstrates how criminal infrastructure persists despite sanctions and enforcement efforts. Cryptex and Audi6 accepted millions in stolen funds without apparent resistance. This creates an incentive structure: attackers know they can eventually convert stolen cryptocurrency to cash through persistent channels.
LastPass customers suffered direct financial losses and subsequent regulatory consequences. The UK Information Commissioner’s Office fined LastPass over claims that the company failed to protect users’ data adequately. Users filed class-action lawsuits. Yet recovery remains difficult: stolen cryptocurrency transferred through mixers and converted to fiat currency is nearly impossible to track or recover once it reaches Russian exchanges.
Attackers obtain encrypted LastPass vaults from the 2022 breach or subsequent GoTo compromise. They download the vault data and run password-cracking tools locally. Modern graphics processors can test billions of password combinations per second. Weak master passwords (under 12 characters, common words) crack in hours or days. Even moderately complex passwords fall within months of compute time on cloud infrastructure.
Once a master password cracks, the vault unlocks. Attackers extract all stored data: usernames, passwords, and critically, cryptocurrency private keys or seed phrases. Many users store wallet recovery information inside their vault thinking the encryption provides sufficient protection. Attackers sort through extracted data, identifying cryptocurrency-related entries and targeting high-value wallets.
With cryptocurrency private keys in hand, attackers import the keys into their own wallets or use automated tools to access accounts. They identify wallet balances and execute withdrawals to attacker-controlled addresses. Transaction fees are deducted from victim wallets. Attackers prefer Bitcoin as the target currency because it offers pseudonymity and liquidity compared to emerging altcoins.
Wasabi Wallet’s CoinJoin feature accepts Bitcoin deposits and combines thousands of transactions from multiple users into a single batch. The output addresses appear unrelated to inputs. However, TRM Labs’ breakthrough was analyzing behavior at scale: attackers making coordinated deposits, consistent withdrawal timing, and aggregate value alignment. These behavioral patterns remain stable across mixing, allowing forensic attribution even after mixing completes.
Bitcoin exits Wasabi Wallet to Russian-linked exchanges (Cryptex, Audi6) where final conversion to rubles or other fiat currency occurs. These exchanges accept inflows at scale without detection. Some exchanges reportedly have weak KYC (know-your-customer) verification or operate from jurisdictions with limited regulatory oversight. Once converted to fiat, funds enter the conventional banking system where tracing becomes nearly impossible.
LastPass built its business on the promise of secure, centralized credential storage. The model appealed to consumers and enterprises: store one master password, synchronize credentials across devices, access accounts anywhere. Security audits and penetration tests reinforced the perception of trustworthiness. But the 2022 breach revealed critical weaknesses in the architecture and operational security that protected sensitive data.
The initial LastPass breach stemmed from a compromised developer environment, not a direct attack on production systems. Attackers obtained source code and technical documentation. LastPass disclosed the incident but downplayed customer impact, claiming user vaults remained encrypted and secure. Investigations later revealed the company’s incident response was slower than initially reported.
The connection to GoTo was crucial. Attackers used credentials stolen during the LastPass compromise to breach GoTo’s systems months later. From GoTo, they accessed LastPass database backups, obtaining full encrypted vault data for the customer base. This supply chain escalation mirrors recent attacks where initial access expands through connected systems.
TRM Labs’ approach combined blockchain analysis with cybersecurity intelligence. Rather than tracking individual victims, analysts studied on-chain transaction patterns: wallet drains, mixing activity, and exchange inflows correlated with known LastPass breach victims. Behavioral clustering identified coordinated activity that persisted even through CoinJoin mixing. This methodology demonstrates the limits of privacy-enhancing technologies against forensic analysis at scale.
The LastPass breach exposed a fundamental flaw: centralized storage of high-value secrets (cryptocurrency keys) creates catastrophic risk if the central system breaches. This mirrors risks in infrastructure code repositories and development environments where breaches expose multiple layers of organizational secrets. Security professionals now recommend decentralized key management and cold storage for cryptocurrency.
TRM Labs published detailed blockchain analysis in late December 2025 documenting the connection between the 2022 LastPass breach and ongoing cryptocurrency thefts. The report identified over $35 million in stolen and laundered funds. TRM shared findings with law enforcement and published forensic methodology, demonstrating how behavioral analysis defeats mixing services designed to obscure transaction origins.
The U.S. Secret Service independently seized $23 million in cryptocurrency connected to the LastPass breach. Court filings and press releases confirmed that victims’ wallets were compromised through stolen password vault data, not phishing campaigns or malware. The investigation concluded that stolen private keys extracted from LastPass vaults enabled direct wallet access without additional attack steps.
The UK Information Commissioner’s Office fined LastPass approximately £2.5 million ($3.1 million USD equivalent) for failing to protect customer data. The ICO found that LastPass’ security controls were inadequate given the sensitivity of stored information. Multiple class-action lawsuits are pending in the United States, with settlement negotiations ongoing as of early 2026.
Reports from blockchain surveillance firms identified Cryptex and Audi6, both Russian-linked cryptocurrency exchanges, as primary destinations for stolen funds after mixing. These exchanges provided liquidity for converting Bitcoin to fiat currency. The exchanges’ acceptance of large inflows without enhanced KYC procedures enabled rapid money laundering without detection or delays.
Following the LastPass breach investigation, cybersecurity experts revised guidance on cryptocurrency security. Hardware wallets (Ledger, Trezor) that keep private keys offline became the recommended standard. Cloud-based password managers should not store cryptocurrency recovery information. Organizations now implement segregated key management: credentials in password managers, cryptocurrency keys in hardware wallets or offline cold storage.
