Was Crypto Theft of 35 Million Linked to LastPass Breach?

• Crypto Theft of about $35M traced to Russian-linked infrastructure
• Over $28M laundered via Wasabi Wallet in late 2024 to early 2025
• Around $7M moved in September 2025 and reached Russian exchanges

Crypto Theft tied to the LastPass breach has moved from a one-time shock to a long-tail drain. TRM Labs reports that investigators traced about $35 million in stolen cryptocurrency to Russian cybercriminal infrastructure. The trail shows how attackers moved assets across swaps, mixers, and off-ramps, while repeating patterns that link separate thefts into one campaign. The breach itself dates back to 2022, when intruders accessed LastPass and downloaded encrypted vault data at scale. Reports around the incident put the affected vault count near 30 million. Attackers could not open every vault at once, because encryption still stood in the way. Yet the bulk download created a standing risk. Weak master passwords turned that risk into access, and the access turned into ongoing Crypto Theft during 2024 and 2025.

Crypto Theft linked to the LastPass breach: what TRM Labs traced on-chain

TRM Labs describes an on-chain view of how criminals monetized credentials from one of the most consequential password manager intrusions of the decade. The key point sits in continuity over time. The thefts did not look random, and the laundering did not look improvised. Instead, TRM analysts saw repeated steps that connected stolen wallets to the same tooling choices and to the same destination infrastructure. That consistency matters because it narrows the set of actors behind the Crypto Theft. It also reduces the chance that unrelated thieves just happened to use identical paths, at similar times, for similar values. The 2022 breach exposed encrypted vaults, and attackers took them in bulk. That detail matters because it allowed offline attempts at decryption. Attackers did not need to poke a live system for each victim. They could work quietly, test passwords at their own pace, and return later when they succeeded. Each successful unlock opened a private map of credentials and keys. For cryptocurrency holders, that map could include exchange logins, seed phrases, and wallet backups. During 2024 and 2025, fresh waves of drains suggested that this process kept working, victim after victim, as old vault files met weak master passwords and predictable reuse habits. The result looked like a delayed detonation: one incident in 2022, followed by extended Crypto Theft that surfaced as new outflows across multiple months.

How the Crypto Theft pipeline moved assets into Bitcoin and into Wasabi Wallet

TRM’s description of the laundering pipeline starts with practical choices that reduce friction. When attackers stole Bitcoin, they often imported stolen keys into the same wallet software. That behavior left transaction fingerprints. Analysts noted shared signature patterns and recurring SegWit usage across theft events. Those overlaps do not prove identity by themselves, yet they add weight when paired with matching timing and shared downstream routes. In a coordinated Crypto Theft campaign, operational convenience often beats perfect variability, especially when the same crew runs many drains. Attackers moved non-Bitcoin assets quickly. They converted those assets into Bitcoin through instant swap services, according to the analysis. Speed matters here because victims, exchanges, and wallet providers can react once they spot theft. Rapid conversion reduces the number of asset types that investigators must track later, and it consolidates value into a single chain with deep liquidity. After conversion, TRM says the funds went into Wasabi Wallet, a CoinJoin-based mixing service that aims to blur links between inputs and outputs. TRM estimates that more than $28 million flowed through Wasabi in late 2024 and early 2025. That figure frames the scale of Crypto Theft tied to this single source of compromised credentials. Mixing alone did not mark the end of the laundering process. The analysis describes clustered withdrawals and peeling-chain behavior that pushed mixed Bitcoin toward exchange deposit addresses. A peeling chain typically moves funds in repeated steps, sending a portion onward while leaving change behind, which can help manage risk and maintain control. Clustering often emerges when operators consolidate outputs under their own wallets before they cash out. These patterns show up because criminals still need usable money at the end of the path. They may hide the trail, but they still need consistent off-ramps, working accounts, and reliable infrastructure. That dependency becomes a weak point when the same infrastructure reappears across months of Crypto Theft.

Demixing, signatures, and the campaign view: the forensic methods behind the trace

TRM’s account emphasizes methodology, not just isolated incidents. Investigators did not treat each victim drain as a separate case. They examined the activity as a coordinated campaign, then looked for shared behaviors that survived obfuscation. The analysis describes proprietary demixing techniques that matched deposits into mixing pools with specific withdrawal clusters. Timing played a central role. Aggregate values also mattered. When withdrawals align too tightly with deposits, across repeated sequences, coincidence becomes harder to defend. Transaction signatures added another layer. When stolen Bitcoin keys moved through the same wallet software, they left similarities in how transactions were constructed. SegWit usage appeared as one such shared trait. Investigators combined these wallet-level behaviors with the post-mix patterns that still surfaced in withdrawals. Together, they built a continuity argument: the same actors controlled activity before and after the CoinJoin steps. That claim matters because mixing services rely on breaking certainty. If investigators can re-link behavior at scale, the mixer does not “fail” in a simple technical sense, but it also does not deliver the operational break that criminals seek. In the LastPass-related Crypto Theft, the laundering choices did not vary enough to prevent an infrastructure-based trace. The demixing results also clarify why this case drew attention. Many theft stories end with “funds went through a mixer” and stop there. Here, the analysis describes what happened next, and it connects the next steps to specific high-risk exchanges. That connection offers rare insight into monetization. It shows where the money likely turned into spendable value. It also helps compliance teams refine controls, because it identifies choke points that recur across the Crypto Theft pipeline rather than one-off wallet addresses that change every day.

Russian exchanges and the off-ramp problem in 2024–2025

The traced flows converged on Russian exchange infrastructure in two phases. In the first phase, TRM says stolen funds moved through Cryptomixer.io and then exited via Cryptex, a Russia-based exchange that OFAC sanctioned in 2024. Sanctions status matters because it signals prior enforcement interest and alleged ties to illicit finance. It also changes the compliance posture for counterparties that touch related flows. When Crypto Theft proceeds hit a sanctioned venue, the transaction history becomes more than a theft narrative. It becomes a sanctions exposure risk for anyone who interacts with tainted coins without proper screening. A later phase appeared in September 2025. TRM describes roughly $7 million routed through Wasabi Wallet, with withdrawals that ultimately reached Audi6, another Russian exchange linked to cybercriminal activity. The repeated reliance on Russia-based off-ramps stands out. It suggests a stable operational base, or at least a stable set of partners and accounts, rather than opportunistic cashouts spread across many jurisdictions. That consistency supports the “campaign” framing, because it implies planning and repeated execution. It also reveals a practical limit of obfuscation. Mixing services can complicate linkage, but operators still need exchanges that accept their deposits, tolerate their patterns, and provide access to liquidity. When the same venues keep appearing, investigators can focus on those junctions and map the ecosystem around them. TRM’s narrative ties these off-ramps to a broader picture of Russian financial infrastructure as an enabler for cybercrime. In this case, the enabling role appears in the final steps of the monetization chain, where mixed Bitcoin meets exchange rails. The on-chain evidence of Russia-based operational control, combined with repeated exchange endpoints, points toward coordination rather than isolated usage. Crypto Theft becomes easier to run at scale when the last mile stays dependable. That last mile also becomes a point where enforcement pressure, sanctions, and compliance actions can disrupt future campaigns, especially when investigators can show continuity across time and across laundering phases.

Conclusion

Crypto Theft linked to the 2022 LastPass breach illustrates how one credential incident can keep producing losses years later. TRM Labs describes about $35 million traced to Russian cybercriminal infrastructure, with more than $28 million laundered through Wasabi in late 2024 and early 2025, plus another wave of about $7 million in September 2025. Investigators also describe flows through Cryptomixer.io to Cryptex, which OFAC sanctioned in 2024, and later withdrawals that reached Audi6. The on-chain details matter because they outline a repeatable pipeline rather than a single theft story. Attackers imported stolen Bitcoin keys into the same wallet software, reused recognizable transaction patterns like SegWit, converted non-Bitcoin assets into Bitcoin via instant swaps, and relied on consistent off-ramps. That combination left enough structure for demixing and clustering analysis to connect activity before and after mixing. In this case, Crypto Theft did not depend on invisibility alone. It depended on durable infrastructure, and that durability created the trace investigators used to map the monetization path.

Disclaimer

The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.

Featured image created by AI