The Breach That Won’t Die: LastPass Vaults Fuel a $35M Crypto Heist 3 Years Later
The LastPass breach that occurred back in 2022 continues to generate illicit profits years later. A recent on-chain analysis by TRM Labs has uncovered new details about the underlying criminal infrastructure. At the time of the attack, adversaries gained access to backup copies of roughly 30 million user “vaults”—encrypted containers holding highly sensitive information, including private keys and seed phrases for cryptocurrency wallets.
Although these vaults could not be directly “read” without the master password, the attackers exfiltrated the files at scale, turning a single breach into a protracted campaign. Weak master passwords could then be cracked offline over months or even years, quietly unlocking personal data and draining assets long after the initial incident.
According to TRM’s report, fresh waves of wallet drains were observed throughout 2024 and continued into 2025, with the fallout proving far more extensive than initially understood. Analysts examined a recent cluster of thefts and traced the stolen funds through mixers to two high-risk exchanges frequently used by cybercriminals as fiat off-ramps. TRM notes that one such venue was still receiving funds linked to LastPass as late as October.
The report emphasizes that these findings are not speculative, but rest on a convergence of reinforcing indicators. First, the stolen assets repeatedly passed through well-known off-ramps historically associated with illicit activity. Second, wallet data interacting with mixers both before and after the mixing process pointed to continuity of control—suggesting a single coordinated group rather than unrelated users who later acquired “tainted” coins. Even so, TRM cautions that definitive attribution of the original breach to specific actors remains elusive.
A pivotal role in the investigation was played by “demixing”: cluster-level analysis of CoinJoin activity, which can re-link mixer inputs and outputs when they follow consistent, non-random patterns. TRM identified a distinctive signature: stolen Bitcoin keys were imported into the same wallet software, yielding shared technical traits such as SegWit usage and Replace-by-Fee. Altcoins were rapidly converted into Bitcoin via instant swap services, routed through disposable addresses, and then sent to Wasabi Wallet. TRM estimates that in late 2024 and early 2025 alone, more than $28 million was stolen, converted to BTC, and laundered through Wasabi in this manner.
Rather than treating each theft in isolation, analysts interpreted the activity as a coordinated campaign. They grouped Wasabi deposits and withdrawals over time, matching volumes and timing—an alignment they argue is statistically improbable by chance. Early exits from Wasabi occurred just days after the initial drains, implying that CoinJoin was performed by the original attackers themselves, not by subsequent holders of the coins.
TRM also highlights a two-phase pattern in the cash-out process. In the earlier phase, following the initial exploitation, funds were routed through the now-defunct Cryptomixer.io and cashed out via Cryptex, a high-risk exchange long associated with cybercriminal fiat exits. In a second wave, which TRM links to September 2025, analysts traced approximately $7 million passing through Wasabi before landing on the Audi6 exchange. In total, TRM claims to have tracked more than $35 million, while stressing that this figure likely represents only part of the overall loss.
The analysts conclude that mixers alone do not guarantee the disappearance of traces when attackers rely on the same infrastructure and familiar geographic off-ramps for years. The LastPass saga carries an additional, painful coda: many users never strengthened their master passwords or rebuilt their vault security. As a result, attackers retain a long window to methodically crack weak passwords and continue siphoning assets—even three years after the original breach.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
