The fallout from the 2022 LastPass breach continues to affect cryptocurrency holders years later. According to new analysis by TRM Labs, encrypted backups of user vaults stolen in that incident are still being cracked today, enabling attackers to recover private keys, seed phrases, and exchange credentials and move victims’ digital assets to attacker-controlled wallets.
How the LastPass breach exposed encrypted password vaults
The 2022 incident began with the compromise of a LastPass employee’s home computer. Through this foothold, attackers accessed internal resources and exfiltrated multiple datasets, including encrypted backups of customer password vaults. These vaults often contained not only website logins, but also cryptocurrency private keys, seed phrases, and exchange API keys.
LastPass, like many password managers, uses a client-side encryption model: vault contents are encrypted locally and protected by a user-defined master password. The provider does not know this password and cannot decrypt the data. However, once an attacker obtains an encrypted vault file, they are free to perform offline password guessing without rate limits, lockouts, or multifactor authentication checks.
Offline brute-force: why weak master passwords are a critical risk
TRM Labs reports that threat actors have spent years conducting offline brute-force attacks against the stolen LastPass vault backups. Unlike online logins, where mechanisms such as CAPTCHA, account lockouts, and MFA slow down attacks, offline cracking is limited only by the attacker’s computing power, including modern GPUs and cloud infrastructure.
Vaults protected by short, predictable, or reused master passwords — such as single words, dates, or keyboard patterns — are especially vulnerable. Given enough time and processing power, these passwords can be discovered, turning the LastPass breach into a prolonged “multi‑year window of opportunity” for attackers. TRM Labs notes that the theft campaign against crypto users continued into late 2025, in many cases because users did not strengthen their passwords or change how they stored sensitive secrets.
TRM Labs links over $35 million in stolen crypto to the LastPass breach
Using blockchain analytics, TRM Labs has associated more than $35 million in stolen digital assets with the LastPass data theft. Around $28 million in crypto was converted to bitcoin and laundered through the privacy-focused Wasabi Wallet from late 2024 through early 2025. An additional approximately $7 million is tied to a fresh wave of thefts observed in September 2025.
Indicators of a Russian-speaking cybercriminal ecosystem
Researchers link this activity to a Russian-speaking cybercriminal ecosystem based on two main sets of indicators. First, the laundering chain relies on services and exchanges previously observed in investigations of Russian-speaking groups. Second, analysts see a recurring cluster of wallets interacting with mixing services before and after coinjoins, suggesting a shared operational infrastructure rather than isolated opportunistic thefts.
According to TRM Labs, stolen assets frequently flowed through Cryptomixer[.]io, after which a portion of the funds was cashed out via the exchanges Cryptex and Audia6. In September 2024, the U.S. Department of the Treasury placed Cryptex under sanctions for allegedly facilitating money laundering involving both cryptocurrencies and fiat currencies, further reinforcing concerns about its role in illicit finance.
Why many LastPass users remained exposed for years
The prolonged success of these attacks is largely explained by the human factor. Many affected users either did not change their master password after the breach or continued to store high-value secrets such as seed phrases in their password manager. For non-specialists, “encrypted” is often perceived as “absolutely secure,” while the crucial role of password strength and configuration is underestimated.
The security of a vault depends not only on robust algorithms such as AES‑256, but also on the strength of the master password and the parameters of the key derivation function (KDF), such as PBKDF2 or Argon2. A short password combined with a low iteration count makes offline brute-force attacks orders of magnitude faster. With inexpensive GPU rigs and cloud services, even moderately complex but short passwords no longer provide a comfortable security margin.
How to protect password managers and crypto wallets after a breach
Harden your master password and password manager settings
For users of any password manager, the following practices significantly reduce risk:
– Use a unique, high-entropy master passphrase, ideally a sequence of words at least 14–16 characters long or more;
– Verify that your vault uses a modern KDF with a high iteration count (e.g., sufficiently tuned PBKDF2 or Argon2) to slow down offline cracking;
– Enable multifactor authentication (MFA) wherever possible, especially for logins to the password manager account and email;
– After any notification of a breach or suspicious activity, immediately change your master password and rotate credentials for critical accounts (email, exchanges, banking, admin panels).
Secure storage for seed phrases and private keys
Seed phrases and private keys should be treated as a separate class of secrets with stricter handling rules. Recommended practices include:
– Wherever possible, avoid storing seed phrases in cloud-based password managers or email accounts;
– Prefer hardware wallets and dedicated offline key storage for long-term holdings;
– Create physical backups of seed phrases (paper, metal plates) and store them in secure, geographically separated locations;
– Regularly monitor your on-chain addresses and enable transaction alerts on exchanges and wallets to detect unauthorized movements quickly.
The LastPass incident demonstrates how a single compromise of encrypted data can fuel targeted attacks for many years when attackers can patiently crack passwords offline. Reviewing the strength of master passwords, tightening KDF settings, and segregating high-value crypto secrets from general-purpose password managers are no longer optional best practices but essential measures for safeguarding digital assets. It is advisable to audit password hygiene, password manager configurations, and cryptocurrency storage methods now, rather than waiting for the next large-scale breach to expose long-standing weaknesses.
