top of page
perceptive_background_267k.jpg

Cryptocurrency theft attacks traced to 2022 LastPass breach

Published:

2 januari 2026 om 17:28:01

Alert date:

2 januari 2026 om 18:02:21

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Data Breach & Exfiltration, Identity & Access, Security Tools

TRM Labs has traced ongoing cryptocurrency theft attacks to the 2022 LastPass security breach. Attackers are continuing to drain cryptocurrency wallets years after stealing encrypted password vaults from the breach. The stolen funds are being laundered through Russian cryptocurrency exchanges. This demonstrates the long-term impact of the LastPass breach as attackers work to crack encrypted vault data over time. The attacks highlight how password manager breaches can have extended consequences for users' financial assets.

Technical details

Attackers breached LastPass systems in 2022 by compromising a developer environment, stealing source code and encrypted password vaults containing cryptocurrency wallet private keys and seed phrases. The stolen vaults were subject to offline cracking attacks targeting users with weak master passwords. Cryptocurrency thefts occurred in waves months or years after the breach as attackers gradually decrypted vaults. Stolen funds totaling over $28 million were laundered through Wasabi Wallet using CoinJoin mixing techniques, then cashed out via Russian-linked exchanges including Cryptex and Audi6. TRM Labs developed demixing techniques to trace funds by analyzing transaction structure, timing, and wallet configuration patterns despite CoinJoin obfuscation.

Mitigation steps:

Users should reset master passwords if they were weak or reused, especially those with low iteration count settings. Monitor cryptocurrency wallets for unauthorized access. Consider migrating to alternative password managers and update all stored credentials. Implement strong, unique master passwords with high iteration counts.

Affected products:

LastPass password manager
GoTo cloud storage
Cryptocurrency wallets storing private keys in LastPass vaults

Related links:

https://www.bleepingcomputer.com/news/security/lastpass-developer-systems-hacked-to-steal-source-code/
https://www.bleepingcomputer.com/news/security/goto-says-hackers-breached-its-dev-environment-cloud-storage/
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-accessed-customer-data-in-new-breach/
https://www.bleepingcomputer.com/news/security/lastpass-breach-linked-to-theft-of-44-million-in-crypto/
https://www.bleepingcomputer.com/news/security/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach/
https://www.trmlabs.com/resources/blog/trm-traces-stolen-crypto-from-2022-lastpass-breach-on-chain-indicators-suggest-russian-cybercriminal-involvement
http://support.lastpass.com/s/document-item?language=en_US&bundleId=lastpass&topicId=LastPass/security-bulletin-recommended-actions-free-premium-families.html&_LANG=enus
http://legacy.www.documentcloud.org/documents/25555236-merged_42402_-1-1741359918

Related CVE's:

Related threat actors:

IOC's:

Cryptex exchange, Audi6 exchange, Wasabi Wallet CoinJoin transactions, Russian-linked cryptocurrency exchanges

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page