LastPass, a service used to store login credentials and other sensitive information in encrypted digital vaults, has again been linked to large-scale cryptocurrency thefts stemming from its 2022 security incident. New blockchain analysis indicates that Russian cybercriminal infrastructure played a central role in laundering stolen funds taken from affected users.
The findings relate to cryptocurrency losses suffered by users whose encrypted password vaults were accessed during the breach. According to cybersecurity researchers, wallets holding stolen cryptocurrency repeatedly interacted with services and exchanges associated with Russian-speaking cybercrime networks. This activity was observed over an extended period, indicating that the theft and laundering of funds continued well after the original incident became public.
The 2022 breach allowed attackers to obtain encrypted backups of user vaults. While the vaults themselves were encrypted, researchers have said attackers were able to extract sensitive information from some accounts by cracking weak master passwords. In cases where users stored cryptocurrency seed phrases or private keys inside their vaults, attackers were later able to access and drain associated wallets.
Researchers said more than $35 million in cryptocurrency linked to the incident was traced through laundering routes between late 2024 and 2025. The funds were primarily converted to bitcoin and passed through cryptocurrency mixing services designed to obscure transaction histories. Despite these measures, analysts were able to identify patterns consistent with coordinated laundering activity.
The laundering flows were linked to infrastructure historically used by Russian cybercriminal groups. This included the use of mixing services and exchanges that have appeared in past investigations involving financially motivated cybercrime. Researchers said the repeated reuse of the same services and wallet clusters suggested continuity of control rather than unrelated criminal activity.
Attribution of the original breach itself remains unresolved. Researchers stressed that while the on-chain evidence suggests involvement by Russian-based criminal networks in the laundering and cash-out stages, it does not conclusively identify who carried out the initial intrusion into LastPass systems.
The findings highlight the long term impact of breaches involving encrypted credential data. Even when stolen information cannot be immediately exploited, attackers may continue to extract value months or years later, particularly when sensitive material such as cryptocurrency keys is stored in password vaults.
Cybersecurity specialists have repeatedly warned against storing private keys or recovery phrases for digital wallets in online password managers. Once exposed, such information cannot be revoked, making any compromise potentially irreversible.
The continued movement of stolen cryptocurrency years after the LastPass breach underscores how data exposure incidents can have lasting financial consequences for affected users, even when the original attack appears to be contained.