Investigators at TRM Labs have linked a series of cryptocurrency thefts totalling approximately $35 million to a credential breach at LastPass, a popular password manager. The analysis focused on assets stolen following the 2022 intrusion, which exposed encrypted user vaults containing private keys. Despite the requirement for master passwords to access individual accounts, weak credentials enabled offline decryption of key data, allowing attackers to exfiltrate wallet information over an extended period and target accounts belonging to users with cryptocurrency holdings.
TRMโs blockchain forensics revealed that non-Bitcoin assets were rapidly swapped into Bitcoin via on-chain exchange services. Subsequent deposits were routed into Wasabi Wallet, a privacy-focused mixing protocol, to obscure transaction origins. Researchers identified consistent transaction signatures, including SegWit inputs and common wallet software, linking disparate incidents to a single threat actor. Demixing techniques were applied to trace over $28 million in laundered funds through Cryptomixer.io and Cryptex, a Russian exchange sanctioned by OFAC. A later wave in September 2025 saw an additional $7 million conveyed into Audi6, reinforcing evidence of coordinated withdrawal clusters.
The investigation underscores diminishing anonymity guarantees offered by mixing services when threat actors rely on stable geographic exchange endpoints. The recurring use of Russian off-ramps highlights systemic vulnerabilities in the global financial infrastructure that facilitate cybercrime monetisation. TRM Labs advocates for enhanced blockchain intelligence capabilities to detect behavioural continuity across laundering phases. The LastPass case serves as a rare on-chain exposition of how historical credential breaches can translate into multi-year exploitation campaigns, emphasizing the critical role of robust password hygiene and the need for security solutions tailored to digital asset protection.
Comments (0)