Security

Uncovering the Link: Cryptocurrency Theft and the 2022 LastPass Breach

Published

3 months ago

January 3, 2026

Cryptocurrency Thefts Linked to LastPass Breach

Recent investigations by blockchain firm TRM Labs have revealed a troubling connection between ongoing cryptocurrency thefts and the 2022 LastPass breach. Attackers have been draining wallets long after encrypted vaults were stolen, using Russian exchanges to launder the stolen crypto.

The breach at LastPass occurred when attackers compromised a developer environment, gaining access to the company’s source code and technical information. This breach was later compounded by a security incident at cloud storage firm GoTo, where hackers used stolen credentials to access LastPass database backups containing encrypted password vaults.

Although the vaults were encrypted, users with weak or reused master passwords were at risk of offline cracking, which has been ongoing since the initial breach. LastPass advised users to reset their master passwords to enhance security.

The U.S. Secret Service confirmed the link between the LastPass breaches and crypto thefts, seizing over $23 million in cryptocurrency. The attackers obtained victims’ private keys by decrypting vault data stolen in the breach, indicating a sophisticated operation.

TRM Report on Cryptocurrency Thefts

TRM Labs’ report highlighted how cryptocurrency theft attacks were traced back to the abuse of stolen LastPass password vaults. Instead of immediate wallet draining, the thefts occurred in waves over time as attackers gradually decrypted vaults.

The stolen funds were laundered through Russian exchanges, with attackers converting crypto to Bitcoin and using techniques like CoinJoin to obfuscate transactions. TRM’s investigation was able to trace the stolen funds, even after they were mixed, using proprietary demixing techniques.

“TRM’s analysis revealed a coordinated campaign behind the thefts, with clusters of transactions pointing to a Russia-based operation. By matching Wasabi deposits with withdrawal patterns, TRM identified the threat actors responsible for the crypto thefts.”

By treating the thefts as a coordinated effort, TRM estimated that over $28 million in cryptocurrency was stolen and laundered through Wasabi Wallet in late 2024 and early 2025. Additional funds were linked to a later wave of attacks in September 2025.

The stolen funds were consistently cashed out through Russian-linked exchanges, indicating the involvement of the same threat actors in multiple breaches. TRM’s thorough investigation shed light on the complex web of crypto theft and money laundering activities.

Discover how top CISOs are planning, spending, and prioritizing for the year ahead. Benchmark strategies, identify trends, and compare priorities in this comprehensive report.

Turn investment into measurable impact with insights from security leaders.