New analysis from TRM Labs reveals that encrypted vault backups stolen during the 2022 LastPass breach are still being exploited to drain cryptocurrency assets as recently as late 2025.

The findings show that attackers have successfully cracked vaults protected by weak master passwords, enabling long-term, quiet theft of digital assets. On-chain evidence points to Russian cybercriminal infrastructure playing a central role in laundering the stolen funds.

More than $35 million in cryptocurrency has now been linked to this activity, demonstrating how a single breach can evolve into a multi-year financial threat.

The LastPass breach in 2022 marked a turning point in password manager risk awareness.

Attackers gained access to encrypted vault backups containing highly sensitive data, including saved credentials, cryptocurrency private keys, and seed phrases. While the vaults were encrypted, their security ultimately depended on the strength of users’ master passwords.

At the time, LastPass warned that offline brute-force attacks against weak master passwords were possible. TRM Labs’ latest findings confirm that this theoretical risk has since become a prolonged and measurable reality.

According to TRM Labs, attackers have continued decrypting stolen LastPass vaults well beyond the initial breach window.

By exploiting weak or unchanged master passwords, threat actors were able to extract crypto wallet credentials and systematically drain funds over several years. Blockchain analysis indicates that stolen assets were actively laundered through 2024 and 2025, with some funds traced to Russian-linked exchanges as recently as October 2025.

Earlier this month, LastPass was fined £1.6 million by the UK Information Commissioner's Office for failing to implement adequate security controls prior to the breach.

The attack chain relied on offline decryption, not live system access.

Once encrypted vault backups were stolen, attackers could attempt unlimited password guesses without triggering security alerts. Vaults protected by weak master passwords were eventually cracked, exposing stored secrets.

TRM Labs traced more than $35 million in stolen digital assets. Approximately $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. An additional $7 million was linked to a second wave identified in September 2025.

Despite the use of CoinJoin mixing techniques, analysts identified clustered withdrawals and “peeling chains” that funneled funds through Cryptomixer.io and off-ramped them via Cryptex and Audia6.

Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for facilitating ransomware-related money laundering.

The financial impact continues to grow years after the original breach.

Victims who failed to rotate credentials or strengthen vault security remained exposed long after 2022. Unlike traditional breaches, this model allowed attackers to extract value slowly, quietly, and opportunistically.

For the broader ecosystem, the case highlights the persistent risks of encrypted data theft when encryption strength is tied to human-chosen passwords.

This incident reframes how breaches should be assessed.

A single intrusion can create a multi-year exploitation window, especially when attackers obtain encrypted data that can be attacked offline. The delayed nature of the theft complicates detection, attribution, and victim response.

It also underscores the systemic risk posed by high-risk crypto exchanges and mixers that continue to serve as reliable off-ramps for cybercriminal activity.

“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, Global Head of Policy at TRM Labs.

He noted that even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal attribution signals. According to Redbord, Russian high-risk exchanges remain a critical chokepoint for global cybercrime investigations.