Hot Take LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,064
14,276
6,069
"As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025."

The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the Russian exchanges receiving LastPass-linked funds as recently as October.

The stolen funds have been found to be routed through Cryptomixer.io and off-ramped via Cryptex and Audia6, two Russian exchanges associated with illicit activity. It's worth mentioning here that Cryptex was sanctioned by the U.S. Treasury Department in September 2024 for receiving over $51.2 million in illicit funds derived from ransomware attacks.

Earlier this month, the password management service was fined $1.6 million by the U.K. Information Commissioner's Office (ICO) for failing to implement sufficiently robust technical and security measures to prevent the incident.

thehackernews.com

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

Stolen LastPass vaults from the 2022 breach enabled about $35M in crypto thefts through 2025, according to TRM Labs.
thehackernews.com thehackernews.com
Click to expand...
 
  • Like
Reactions: Sorrento and Wrecker4923
Original Source:

www.trmlabs.com

TRM Traces Stolen Crypto from 2022 LastPass Breach — On-chain Indicators Suggest Russian Cybercriminal Involvement | TRM Blog

TRM traced LastPass-linked Bitcoin laundering through mixers to high-risk Russian exchanges, showing how demixing exposes infrastructure reuse and limits mixer anonymity.
www.trmlabs.com www.trmlabs.com

In 2022, a threat actor gained access to encrypted vault data stored by LastPass. As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later — leading to wallet drains as recently as late 2025.
...
Many affected LastPass users failed to change or secure master passwords, and their vaults still contained private keys. As threat actors brute-force vaults over time, slow-drip wallet draining has become a recurring pattern.
Click to expand...
It's interesting how the blockchain intelligence company attributes the possible actors in this case, but their mitigation analysis is likely off the mark. The problem is that users kept their seed phrases in their LastPass vaults, protected by either weak passwords, outdated KDF, or both. Changing the online password wouldn't have helped; the attackers already had the information from the already exfiltrated vaults with weak encryption. They cracked the vaults that they already possessed. LastPass users should have moved their assets out of the wallets associated with the affected seeds long ago but didn't.

These "security experts" keep recommending poor mitigations; no wonder some LastPass users never got ahead of the curve.
 
  • +Reputation
  • Like
Reactions: Sorrento, Zero Knowledge and Parkinsond
Parkinsond said:
Few hours of reading can save lots of money and more hours trying to contain damage.
Click to expand...
Yeah but you forget people have busy lives, they work 8 to 12 hours a day and in the case of nurses, teachers and doctors are on their feet and on call 24/7.

I imagine people who had their wallet hacked due to LastPass probably bought coins when they were worthless or much less, then wrote seed in LastPass and forgot about it.
 
  • Like
  • Hundred Points
Reactions: Jonny Quest, Wrecker4923 and Sorrento
Zero Knowledge said:
Yeah but you forget people have busy lives, they work 8 to 12 hours a day and in the case of nurses, teachers and doctors are on their feet and on call 24/7
Click to expand...
30 min daily on forums such as MT is more than enough; they do not have to read all the posts (especially the AI-generated copied text).
People spend hours daily on worthless YT videos.
 
  • Like
  • Hundred Points
Reactions: Zero Knowledge and Sorrento
Excuse me here: But are you people saying there are OTHER sites apart from MalwareTips?? I've always thought this is the only site there was & paying for fast fibre was a bit of overkill as I only go on this site, set me straight here??
 
  • HaHa
Reactions: Wrecker4923 and Zero Knowledge
Parkinsond said:
Few hours of reading can save lots of money and more hours trying to contain damage.
Click to expand...
Like people storing passwords with 2FA in the same password manager, basically rendering 2FA useless.
ISP gave me a book about security, it is simple, like Ten Commandments, people ignore it, till it is too late.
For example something as simple as card limit?! Default was 12k, I never had so much money, I set it to 100.

capture_12262025_110605.jpg

"As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later – leading to wallet drains as recently as late 2025."
Click to expand...
They seem to fail on basic security news, regular changing password is considered insecure now, it forces people to use weak passwords and it is what phishing uses.

 
  • Like
Reactions: Zero Knowledge, Parkinsond and Wrecker4923
TairikuOkami said:
Like people storing passwords with 2FA in the same password manager, basically rendering 2FA useless.
ISP gave me a book about security, it is simple, like Ten Commandments, people ignore it, till it is too late.
For example something as simple as card limit?! Default was 12k, I never had so much money, I set it to 100.

View attachment 294013


They seem to fail on basic security news, regular changing password is considered insecure now, it forces people to use weak passwords and it is what phishing uses.

Click to expand...
That is why reading and gaining knowledge is mandatory, not luxurious.
 
  • Like
  • Hundred Points
Reactions: Zero Knowledge and TairikuOkami

You may also like...