LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

Published:

25 december 2025 om 12:46:00

Alert date:

25 december 2025 om 13:02:17

Source:

thehackernews.com

Identity & Access, Data Breach & Exfiltration

TRM Labs reveals that encrypted vault backups stolen in the 2022 LastPass data breach continue to enable cybercriminals to crack weak master passwords and drain cryptocurrency assets through late 2025. Russian cybercriminal actors are believed to be involved in these ongoing attacks. The breach demonstrates the long-term impact of password manager compromises, where attackers can persistently attempt to crack encrypted vaults over years. Victims with weak master passwords remain vulnerable to having their cryptocurrency wallets accessed and drained. The findings highlight the critical importance of strong master passwords for password manager security.

Technical details

Attackers exploited encrypted vault backups stolen from the 2022 LastPass breach by using brute-force techniques to crack weak master passwords. Over $35 million in cryptocurrency was stolen, with $28 million converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million was linked to a September 2025 wave. Funds were routed through Cryptomixer.io and off-ramped via Russian exchanges Cryptex and Audia6. Despite CoinJoin mixing techniques, TRM Labs demixed the activity by analyzing clustered withdrawals and peeling chains.

Mitigation steps:

Users should rotate passwords and improve vault security, particularly strengthening master passwords to prevent brute-force attacks on encrypted vault data.

Affected products:

LastPass password manager