- Experts trace ongoing crypto thefts back to long-running LastPass breach fallout
- Blockchain analysis reveals coordinated laundering tied to compromised LastPass password vaults
- Stolen crypto continues moving through Russian exchanges years after LastPass hack
Blockchain security experts have renewed attention on the LastPass breach after uncovering evidence of continued crypto theft tied to the incident. TRM Labs reported that stolen assets linked to compromised password vaults are still being drained years after the original hack. Notably, the breach exposed encrypted backups of nearly 30 million customer vaults containing sensitive data, including private keys and recovery phrases tied to cryptocurrency wallets.
TRM Labs explained that attackers avoided immediate exploitation after accessing the data. Instead, they downloaded vaults in bulk and cracked weak master passwords offline over time. As a result, wallet drains continued through 2024 and 2025.
This slow approach reduced visibility while allowing steady asset extraction. Meanwhile, blockchain analysts identified theft clusters sharing nearly identical transaction behavior. These similarities suggest a coordinated operation rather than random criminal activity.
Also Read: Anthony Scaramucci Says Solana Could Flip Ethereum as Usage and Adoption Surge
Coordinated laundering activity traced across blockchains
Significantly, experts observed that stolen Bitcoin followed repeatable transaction patterns as attackers imported private keys into identical wallet software. This process produced consistent SegWit and Replace-by-Fee features across transactions. Additionally, non-Bitcoin assets were quickly converted into Bitcoin using instant swap services. Funds then moved into new addresses before entering Wasabi Wallet for mixing.
More than $28 million in cryptocurrency followed this laundering path in late 2024 and early 2025, based on TRM Labs’ estimates. Analysts reviewed the activity as a unified campaign instead of isolated events. Consequently, proprietary demixing techniques linked deposits with withdrawal clusters that matched closely in timing and aggregate value.
Further investigation revealed two laundering phases connected to Russian exchange infrastructure. An earlier phase routed funds through Cryptomixer.io before off-ramping via Cryptex, a Russian exchange sanctioned in 2024. Later activity showed a shift in methods. About $7 million moved through Wasabi Wallet before reaching Audi6, another Russian exchange linked to cybercriminal use.
Indicators point to sustained operational control
Importantly, one exchange received LastPass-linked funds as recently as October 2025. This detail confirms the breach continues to generate revenue years after disclosure. Early Wasabi withdrawals occurred within days of wallet drains, indicating attackers executed the CoinJoin activity themselves.
Moreover, blockchain fingerprints observed before mixing matched intelligence gathered after withdrawals. These indicators consistently pointed toward Russia-based operational control. The findings show how compromised encrypted data can drive prolonged crypto theft. TRM Labs noted that long-term blockchain monitoring remains essential as stolen vault data continues to surface.
Also Read: Here’s What Will Drive XRP Price Appreciation – Crypto Researcher Shares Document
