trmlabs.com Team | TRM Blog
TRM traced LastPass-linked Bitcoin laundering through mixers to high-risk Russian exchanges, showing how demixing exposes infrastructure reuse and limits mixer anonymity.
Key takeaways
In 2022, hackers breached LastPass, one of the world’s most widely used password managers, exposing backups of roughly 30 million customer vaults — encrypted containers holding users’ most sensitive digital credentials, including crypto private keys and seed phrases. * Although the vaults were encrypted and initially unreadable without each user’s master passwords, attackers were able to download them in bulk. That created a long-tail risk for more than 25 million users globally: any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time.
New waves of wallet drains have surfaced throughout 2024 and 2025, extending the breach’s impact far beyond its initial disclosure. By analyzing a recent cluster of these drains, TRM analysts were able to trace the stolen funds through mixers and ultimately to two high-risk Russian exchanges frequently used by cybercriminals as fiat off-ramps — with one of them receiving LastPass-linked funds as recently as October.
These findings offer a clear on-chain view of how the stolen assets are being moved and monetized, helping illuminate the pathways and infrastructure supporting one of the most consequential credential breaches of the last decade. Based on the totality of on-chain evidence — including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps — TRM assesses that the activity is consistent with involvement by Russian cybercriminal actors.
Analysis of these thefts reveals two consistent indicators that point toward possible Russian cybercrime involvement.
First, stolen funds were repeatedly laundered through infrastructure commonly associated with Russian cybercriminal ecosystems, including off-ramps historically used by Russia-based threat actors.
Second, intelligence linked to the wallets interacting with mixers both before and after the mixing and laundering process indicated operational ties to Russia, suggesting continuity of control rather than downstream reuse by unrelated actors.
While definitive attribution of the original intrusion cannot yet be confirmed, these signals, combined with TRM’s ability to demix activity at scale, highlight both the central role of Russian cybercrime infrastructure in monetizing large-scale hacks and the diminishing effectiveness of mixing as a reliable means of obfuscation.
What demixing revealed
TRM identified a consistent on-chain signature across the thefts: stolen Bitcoin keys were imported into the same wallet software, producing shared transaction traits such as SegWit usage and Replace-by-Fee. Non-Bitcoin assets were quickly converted into Bitcoin via instant swap services, after which funds were transferred into single-use addresses and deposited into Wasabi Wallet. Using this pattern, TRM estimates that more than USD 28 million in cryptocurrency was stolen, converted to Bitcoin, and laundered through Wasabi in late 2024 and early 2025.
Rather than attempting to demix individual thefts in isolation, TRM analysts analyzed the activity as a coordinated campaign, identifying clusters of Wasabi deposits and withdrawals over time. Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental.
Blockchain fingerprints observed prior to mixing, combined with intelligence associated with wallets after the mixing process, consistently pointed to Russia-based operational control. The continuity across pre-mix and post-mix stages strengthens confidence that the laundering activity was conducted by actors operating within, or closely tied to, the Russian cybercrime ecosystem.
Early Wasabi withdrawals occurred within days of the initial wallet drains, suggesting that the attackers themselves were responsible for the initial CoinJoin activity. Taken together, these findings demonstrate both the diminishing reliability of mixing as an obfuscation technique and the central role of demixing in revealing the structure and geography of large-scale illicit campaigns.
Russian off-ramps as a reinforcing signal
Analysis of LastPass-linked laundering activity reveals two distinct phases that both converged on Russian exchanges. In an earlier phase following the initial exploitation, stolen funds were routed through the now defunct Cryptomixer.io and off-ramped via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024. In a subsequent wave identified in September 2025, TRM analysts traced approximately USD 7 million in additional stolen funds through Wasabi Wallet, with withdrawals ultimately flowing to Audi6, another Russian exchange associated with cybercriminal activity.
Applying the same demixing methodology across both periods, TRM identified consistent laundering patterns, including clustered withdrawals and peeling chains that funneled mixed Bitcoin into these exchanges. The repeated use of Russian exchanges at the off-ramp stage, combined with intelligence indicating Russia-based operational control both before and after mixing, suggests continuity in the laundering infrastructure rather than isolated or opportunistic usage. Together, these findings point to alignment with a persistent Russian cybercriminal ecosystem across multiple phases of the LastPass-related activity.
Why the Russian connection matters
The significance of likely Russian involvement extends beyond this single case. Russian high-risk exchanges and laundering services have repeatedly served as critical off-ramps for globally dispersed ransomware groups, sanctions evaders, and other cybercriminal networks. Their role in the LastPass laundering pipeline underscores how Russia-based financial infrastructure continues to function as a systemic enabler of global cybercrime, even as enforcement pressure increases elsewhere.
This case also highlights how mixers do not eliminate attribution risk when threat actors rely on consistent infrastructure and geographic ecosystems over time. Demixing allowed TRM to move beyond individual transactions and reveal the broader operational architecture, including where illicit value ultimately converges.
Frequently asked questions (FAQs)
What happened in the LastPass breach?
In 2022, a threat actor gained access to encrypted vault data stored by LastPass. As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later — leading to wallet drains as recently as late 2025.
Why is Russian involvement suspected?
TRM observed two consistent signals:
Pre and post-mix wallet intelligence pointed to the same operator using Russian infrastructure.
Off-ramps included multiple Russia-based exchanges, including one previously sanctioned for facilitating ransomware laundering.
Behavioral patterns (e.g. wallet software traits, transaction formatting)
Timing and amounts
Destination addresses with known ties to illicit ecosystems
This enabled linkage across waves of theft and over time — exposing centralized laundering control.
USD 28 million demixed from 2024–early 2025 flows
USD 7 million from a September 2025 wave linked to additional Wasabi usage
Why is this still happening three years later?
Many affected LastPass users failed to change or secure master passwords, and their vaults still contained private keys. As threat actors brute-force vaults over time, slow-drip wallet draining has become a recurring pattern.
What makes this case important?
This is a clear example of how:
Mixers don't provide true anonymity when infrastructure is reused
Off-ramp infrastructure remains the best attribution signal
Illicit networks adapt, but don’t disappear — when one service is sanctioned, another emerges
ico.org.uk | The Information Commissioner’s Office (ICO)
Date 11 December 2025
The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
Service which promises to help people improve their security, has failed them, leaving them vulnerable
Combination of two isolated incidents enabled hacker to steal personal information relating to 1.6m customer
‘Zero knowledge’ encryption system ensures customer passwords and vaults are not decrypted
We have fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data breach that compromised the personal information of up to 1.6 million of its UK users.
We found that LastPass failed to implement sufficiently robust technical and security measures, which ultimately enabled a hacker to gain unauthorised access to its backup database. There is no evidence that hackers were able to unencrypt customer passwords as these are stored locally on customer devices and not by LastPass.
The incidents occurred in August 2022 when a hacker gained access first to a corporate laptop of an employee based in Europe and then to a US-based employee’s personal laptop on which the hacker implanted malware and then was able to capture the employee’s master password. The combined detail from both incidents enabled the hacker to access LastPass’ backup database and take personal information which included customer names, emails, phone numbers, and stored website URLs.
John Edwards, UK Information Commissioner, said:
“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.
“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.
“I call on all UK business to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks”.
Details of the two incidents
Incident one
A hacker compromised a LastPass employee’s corporate laptop and gained access to the company’s development environment.
No personal information was taken however encrypted company credentials were. If decrypted, this would allow access to the company’s backup database.
LastPass took steps to mitigate the hacker’s activity and believed encryption keys remained safe as they were stored outside of the area accessed by the hacker in the account vaults of four senior employees.
Incident two
The hacker then targeted one of the senior employees who had access to the decryption keys, gaining access to their personal device via a known vulnerability in a third-party streaming service.
A keylogger was installed capturing the employee’s master password and multi factor authentication was bypassed using a trusted device cookie.
The hacker then gained access to the employee’s personal and business LastPass vaults, which were linked using a single master password.
The hacker then gained access to the employee’s business vault which contained the Amazon Web Service (AWS) access key and decryption key.
This information, combined with information taken the day before, enabled the hacker to extract the contents of the backup database which contained the personal information.
Our investigation found no evidence that encrypted passwords and other credentials were able to be unencrypted by the hacker. This is due to LastPass’ use of a ‘zero knowledge’ encryption system, whereby the master password required to access a password vault is stored locally on a customer’s own device and never shared with LastPass.
Advice and guidance
We urge organisations to ensure internal security policies explicitly consider and address data breach risks. Where risks are identified access should be restricted to specific user groups.
Businesses wishing to review their procedures should turn to our and the National Cyber Security Centre websites which provide a rich source of information detailing ways to improve practices including Working from home – security checklist for employers, Data security guidance and Device security guidance.
CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent into handing over their high-value credentials.
Popular password management app LastPass is warning customers about a fraudulent app that uses a similar name and icon to attempt to trick LastPass...
Security pros say while the 12-character requirement by LastPass is a step in the right direction, teams still need to enforce multi-factor authentication and practice continuous monitoring.
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious…
LastPass breach was aided by lax security policy, allowing accessing critical data from a home computer. Also, companies implementing federated login are also affected by the breach, despite LastPass originally denying it.
The LastPass statement on their latest breach is full of omissions, half-truths and outright lies. I’m providing the necessary context for some of their claims.
The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.
We are working diligently to understand the scope of the incident and identify what specific information has been accessed.
LastPass says unknown attackers breached its cloud storage using information stolen during a previous security incident from August 2022.
The company added that, once in, the threat actors also managed to access customer data stored in the compromised storage service.
We have no evidence that this incident involved any access to customer data or encrypted password vaults. Our products and services are operating normally.
