The LastPass hack in 2022: consequences and the Russian connection

The 2022 hack of the LastPass password manager continues to have dire consequences. In 2024 and 2025, attackers continue to use stolen data to gain access to other people’s crypto wallets. GetBlock AML Research reveals who is behind these attacks.

Key findings

• In the chain of money laundering related to the LastPass hack, infrastructure linked to the Russian cybercriminal community was used at various stages.
• Analysis showed that even after attempts to “mix” the money to cover their tracks, a behavioral link remained—actions before and after this stage pointed to the same participants.
• The laundered bitcoins passed through the high-risk Russian crypto exchanges Cryptex and Audia6.
• This case illustrates, on the one hand, the resilience of cybercriminal ecosystems and, on the other, that methods of concealing the origin of funds are becoming increasingly ineffective.

In 2022, hackers broke into LastPass, one of the world’s most popular password managers. As a result, backup copies of approximately 30 million user vaults, encrypted “safes” where the most sensitive data was stored: passwords, crypto wallet keys, and recovery phrases, were compromised.

Although these vaults were encrypted and initially inaccessible without the user’s master password, the attackers were able to download copies of them en masse. This created a long-term risk for more than 25 million users worldwide: if the master password was weak, it could be cracked offline over time. Thus, a single hack in 2022 turned into a multi-year opportunity for hackers to gradually crack the storage and withdraw assets.

New waves of thefts in 2024–2025

During 2024 and 2025, new waves of thefts from crypto wallets emerged, indicating that the consequences of the LastPass hack were far from limited to the moment of its disclosure. Analysis of a recent group of such incidents traced the path of the stolen funds through transaction concealment services and on to two high-risk Russian exchanges that are often used by cybercriminals to withdraw money into the real world. One of these exchanges received funds linked to LastPass as early as October.

This data provides a clear picture of how stolen assets are moved and converted into real money, as well as revealing the infrastructure behind one of the largest credential hacks of the past decade. The combination of indicators — regular use of Russia-related infrastructure, maintaining control over funds before and after attempts to conceal their origin, and systematic withdrawal through the same Russian exchanges — points to the involvement of cybercriminal groups linked to Russia.

Signs of possible involvement by Russian cybercriminals

Analysis of these thefts revealed two consistent signs pointing to the possible involvement of the Russian cybercriminal community.

First, the stolen funds were repeatedly laundered using infrastructure traditionally associated with Russian cybercriminals, including money withdrawal services previously used by attackers from Russia.

Second, data related to wallets involved in transactions before and after the cover-up pointed to unified control and links to Russia. This suggests not the accidental use of funds by third parties, but the continued work of the same operators.

Although it is not yet possible to determine exactly who was behind the initial hack, the combination of these signals shows that Russian cybercriminal infrastructure plays a key role in turning large-scale hacks into real money, and that methods of concealing transactions are becoming less effective.

What the analysis of transaction “mixing” revealed

A single technical “signature” was identified in various thefts: stolen bitcoin keys were imported into the same type of wallet software, which led to similar transaction characteristics. The assets were quickly exchanged for bitcoin through instant exchange services, after which the funds were transferred to disposable addresses and sent to a special wallet to cover their tracks.

Transaction mixing. Visualization: TRM Labs.

Based on this pattern, it can be estimated that at the end of 2024 and the beginning of 2025, more than $28 million in cryptocurrency was stolen, converted to bitcoin, and passed through such concealment services.

Instead of analyzing each theft separately, the actions were considered as a single coordinated campaign. This made it possible to identify groups of deposit and withdrawal transactions that coincided in time and amount, which is extremely unlikely to be a coincidence.

The signs recorded before attempts to conceal the origin of the funds and information about the wallets after these transactions consistently pointed to control from Russia. This continuity reinforces the belief that the money laundering was carried out by participants working within or in close connection with the Russian cybercriminal ecosystem.

Early withdrawals occurred just a few days after the initial thefts, suggesting that the attackers themselves were involved in covering their tracks. Taken together, this shows that money laundering methods are becoming less reliable, and analyzing them can reveal the structure and geography of large-scale criminal operations.

Russian exchanges as an additional indicator

Analysis of the movement of funds related to the LastPass hack revealed two stages, which ultimately converged on Russian exchanges. In the early stage, immediately after the initial hack, the funds passed through the Cryptomixer.io service (now defunct) and were withdrawn through the Cryptex exchange, registered in Russia and subject to sanctions in 2024.

Links to Russian crypto exchanges. Visualization: TRM Labs.

In the next wave, identified in September 2025, approximately $7 million was passed through a transaction concealment service, after which the funds were transferred to Audia6, another Russian exchange linked to cybercriminal activity.

Applying the same analysis methods to both periods revealed similar laundering patterns: group withdrawals and chains of transfers directing bitcoins to these specific exchanges. The repeated use of the same Russian platforms, as well as signs of control from Russia before and after the traces were concealed, indicate a stable infrastructure rather than one-off or random actions.

Why the Russian connection matters

The likely involvement of Russia is important beyond this specific case. High-risk Russian exchanges and money laundering services have been used for years by international groups involved in ransomware, sanctions evasion, and other types of cybercrime.

The role of such infrastructure in the LastPass case shows that the Russian-based financial environment continues to be a systemic element of global cybercrime, even despite increased pressure from regulators in other countries.

This case also clearly demonstrates that attempts to conceal the origin of money do not eliminate the risk of exposure if criminals use the same services and geographical areas for years. Transaction analysis allows us to see not individual transfers, but the entire operational picture, including where the illegal money ultimately ends up.