TRM Traces $28M Stolen in LastPass Breach to Russian Exchanges via Demixing Analysis

Source: CoinEdition Original Title: TRM Traces $28M Stolen in LastPass Breach to Russian Exchanges via Demixing Analysis Original Link:

Overview

• TRM Labs traces $28 million in stolen crypto from 2022 LastPass breach to mixers.
• On-chain analysis points to Russian cybercriminal infrastructure and exchanges.
• Demixing techniques reveal stolen Bitcoin flowed through Cryptex and Audi6.

Background

Blockchain intelligence analysts have traced stolen cryptocurrency linked to the 2022 LastPass password manager breach. The analysis identifies on-chain patterns that suggest Russian cybercriminal involvement in laundering operations spanning 2024 and 2025.

Hackers breached LastPass in 2022, exposing encrypted backups of roughly 30 million customer vaults containing digital credentials, crypto private keys, and seed phrases. While the vaults required master passwords to decrypt, attackers downloaded them in bulk. This created a multi-year window for cracking weak passwords offline and draining assets over time.

Blockchain Analysis Reveals Coordinated Laundering Campaign

TRM analysts identified wallet drains continuing throughout 2024 and 2025, extending the breach’s impact far beyond initial disclosure. By analyzing recent theft clusters, researchers traced stolen funds through mixing services to two high-risk Russian exchanges used by cybercriminals as fiat off-ramps.

The analysis reveals consistent on-chain signatures across thefts. Stolen Bitcoin keys were imported into identical wallet software, producing shared transaction characteristics including SegWit usage and Replace-by-Fee features. Non-Bitcoin assets were quickly converted to Bitcoin through instant swap services, then transferred to single-use addresses and deposited into Wasabi Wallet.

Flow of funds by LastPass hackers

TRM estimates more than $28 million in cryptocurrency was stolen, converted to Bitcoin, and laundered through Wasabi in late 2024 and early 2025. Rather than analyzing individual thefts separately, TRM researchers examined the activity as a coordinated campaign. Using proprietary demixing techniques, analysts matched hacker deposits to withdrawal clusters whose aggregate value and timing aligned closely with inflows.

Russian Exchange Infrastructure Serves as Fiat Off-Ramp

Analysis of LastPass-linked laundering activity reveals two distinct phases converging on Russian exchanges. An earlier phase routed stolen funds through mixing services and off-ramped via Cryptex, a Russia-based exchange sanctioned by OFAC in 2024.

A subsequent wave identified in September 2025 saw TRM analysts trace approximately $7 million in stolen funds through Wasabi Wallet. Withdrawals flowed to Audi6, another Russian exchange associated with cybercriminal activity. One of these exchanges received LastPass-linked funds as recently as October 2025.

Blockchain fingerprints observed before mixing, combined with intelligence associated with wallets after the mixing process, consistently pointed to Russia-based operational control. Early Wasabi withdrawals occurred within days of initial wallet drains. This suggests that attackers themselves executed the CoinJoin activity.