TRM Labs has published a horrifying case study on the 2022 LastPass data breach. Their investigation demonstrates that this breach was the catalyst for a multi-year campaign of cryptocurrency theft. Cybercriminals responded to the breach by backwards diving into it with encrypted vault backups. As a consequence, they bled digital resources to the tune of late 2025 just a few months ago. Its findings conclude that poor master passwords were a key factor of the breaches. This vulnerability enabled unauthorized access to user funds for over three months.
LastPass suffered a catastrophic data breach in August 2022 that allowed attackers to steal sensitive user data. These encrypted vault backups used high-quality encryption, but attackers have managed to crack it. Consequently, they have completely exhausted their crypto reserves to balance budgets. TRM Labs’ investigation serves as a reminder that weak password usage creates a major connection point to continual security risks.
Regulatory Action and Security Lapses
The U.K. Information Commissioner’s Office (ICO) sued LastPass. They strongly condemned the company for not prioritizing, deploying, and maintaining adequate technical and security measures to thwart breaches. As a result, the company was handed a fine of $1.6 million.
Responsibility of the user vs. protecting robust vault security
The breach has ignited the debate over who exactly is responsible for protecting sensitive information.
TRM Labs observed that users largely did not update their passwords or enhance the security of their vaults after the hack. This negligence left the door open for attackers to brute force weak master passwords, recovering unencrypted vault data.
“As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.” – TRM Labs
Tracing the Flow of Stolen Assets
Despite the use of CoinJoin techniques designed to obfuscate fund flows, TRM Labs managed to trace the stolen assets back to their origins. They traced linked withdrawals and layered chains used to route tainted Bitcoin into two exchanges. When the U.S. Treasury Department sanctioned the popular exchange Cryptex back in September 2024, they were instrumental in seizing over $51.2 million in illegal proceeds related to ransomware attacks.
The deep dive showed that more than $35 million in drained digital assets could be linked back to the LastPass data breach. From late 2024 to late 2025, criminals transformed approximately $28 million into Bitcoin and laundered it using Wasabi Wallet. During a follow-up operation in September 2025, police discovered an additional $7 million.
“Based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps,” – TRM Labs
The Role of Cybercriminal Networks
TRM Labs recently underscored a direct link between Russian cybercriminal networks and the stolen cryptocurrency. The LastPass breach is associated with this theft. The use of exchanges commonly tied to Russian cybercrime underscores these networks’ functional role in laundering stolen funds.
Ari Redbord, global head of policy at TRM Labs, emphasized the implications of this case:
“This is a clear example of how a single breach can evolve into a multi-year theft campaign.” He further noted that “Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”