New findings from blockchain intelligence firm TRM Labs reveal that encrypted vault backups stolen during the 2022 LastPass data breach are still being exploited, allowing threat actors to crack weak master passwords and drain cryptocurrency assets as recently as late 2025. The analysis shows how a single security incident has continued to expose users to financial losses years later, particularly those who failed to strengthen their vault protection after the breach. According to TRM Labs, attackers have been able to decrypt vaults offline over time, quietly extracting sensitive information such as cryptocurrency private keys and recovery phrases and using them to siphon digital assets.
TRM Labs said its investigation uncovered strong indicators linking the ongoing thefts to Russian cybercriminal actors. The assessment is based on a combination of on chain evidence, including repeated interactions with Russia associated infrastructure, continuity of wallet control before and after the use of mixing services, and the consistent routing of stolen funds through high risk Russian exchanges. The firm noted that at least one Russian exchange received funds tied to the LastPass breach as recently as October 2025, underscoring how long the fallout from the original incident has persisted. These findings follow heightened scrutiny of the password manager after it was fined 1.6 million dollars earlier this month by the UK Information Commissioner’s Office for failing to implement sufficiently robust technical and security safeguards ahead of the 2022 intrusion.
The original LastPass breach enabled attackers to access customer information, including encrypted password vaults that stored credentials for a wide range of services. While the vaults themselves were encrypted, LastPass warned at the time that attackers could attempt brute force techniques against weak master passwords to decrypt the data. TRM Labs now says this scenario has played out over several years. Any vault protected by a weak master password could eventually be decrypted offline, effectively turning the 2022 breach into a long running theft campaign. As some users did not rotate passwords or enhance vault security following the disclosure, attackers continued cracking vaults years later, resulting in new waves of wallet drains well into 2025.
TRM Labs estimates that more than 35 million dollars in digital assets have been siphoned so far as part of this activity. Of that amount, approximately 28 million dollars was converted to Bitcoin and laundered through Wasabi Wallet between late 2024 and early 2025. An additional seven million dollars has been attributed to a later wave detected in September 2025. The laundering process involved routing funds through Cryptomixer.io before off ramping them via Cryptex and Audia6, both Russian exchanges that have been associated with illicit financial flows. Cryptex, in particular, was sanctioned by the US Treasury Department in September 2024 after being linked to more than 51.2 million dollars in ransomware related proceeds. Despite the attackers’ use of CoinJoin techniques intended to obscure transaction trails, TRM Labs said it was able to demix the activity by identifying clustered withdrawals and peeling chains that funneled mixed Bitcoin into the same exchanges.
Commenting on the findings, Ari Redbord, global head of policy at TRM Labs, said the case illustrates how a single breach can evolve into a multi year campaign of theft. He noted that even when mixers are employed, patterns such as infrastructure reuse and consistent off ramp behavior can still expose those responsible. Redbord added that Russian high risk exchanges continue to function as critical off ramps for global cybercrime, and that demixing and ecosystem level analysis are becoming essential for attribution and enforcement efforts. The findings serve as a reminder that long term risks remain when stolen encrypted data is combined with weak user passwords and delayed security hygiene.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
