TL;DR: Remember the 2022 LastPass breach? It's still causing damage. Blockchain investigators at TRM Labs traced $35 million in stolen cryptocurrency directly to those stolen password vaults. Attackers are gradually cracking weak master passwords and draining wallets, some as recently as late 2025. The money flows through Russian-linked exchanges. The U.S. Secret Service seized $23 million connected to the breach. If you used LastPass in 2022 and stored crypto seed phrases, your funds may still be at risk. Change everything.
A Breach That Keeps On Taking
In 2022, hackers breached LastPass, one of the world's most popular password managers, and stole encrypted backups of roughly 30 million customer vaults.[1]
LastPass assured users that vaults were encrypted. Your data was safe, they said, as long as you had a strong master password.
Here's the problem: not everyone had a strong master password. And encrypted data, once stolen, can be attacked offline indefinitely. No rate limiting. No lockouts. Just raw computing power versus your password choice from years ago.
The result: a multi-year theft campaign that's still active today.[2]
Following the Money
TRM Labs, a blockchain investigation firm, has been tracing funds stolen from compromised LastPass vaults. Their findings:[1][3]
- $35+ million in cryptocurrency traced directly to LastPass breach victims
- $28 million converted to Bitcoin and laundered through Wasabi Wallet between late 2024 and early 2025
- $7 million linked to a subsequent wave detected in September 2025
- $23 million seized by the U.S. Secret Service in connection with the breach
Court filings confirm that victims' wallets were compromised through stolen password vault data, not phishing, not malware. The attackers had the vault backups and the time to crack them.[4]
How They're Still Cracking Vaults
The attack model is straightforward but devastating:[2][3]
- Attackers have encrypted vault backups from the 2022 breach
- They run offline brute-force attacks against master passwords
- Weak passwords crack first: "password123" falls in seconds
- Moderate passwords take longer but eventually fall to dedicated hardware
- Once cracked, attackers search for crypto seed phrases and private keys
- Wallets get drained, often years after the original breach
The thefts come in waves. Early victims had the weakest passwords. As attackers crack progressively stronger passwords, new victims appear months or years later. TRM Labs documented theft waves in late 2024, early 2025, and September 2025.[1]
"As users failed to rotate passwords or improve vault security, attackers continued to crack weak master passwords years later, leading to wallet drains as recently as late 2025."[2]
The Russian Connection
Where did the stolen crypto go? TRM Labs traced the laundering pipeline to exchanges commonly associated with Russian cybercriminal operations.[1][3]
The funds were repeatedly cashed out through Cryptex and Audi6, exchanges known in blockchain investigation circles for servicing Eastern European criminal enterprises. Investigators found operational connections between wallets before and after mixing, suggesting a coordinated operation rather than opportunistic individual hackers.
This isn't a teenager in a basement. It's organized crime with infrastructure for stealing, laundering, and cashing out stolen cryptocurrency at scale.
Consequences for LastPass
The breach has cost LastPass more than reputation:[4]
- December 2025: UK Information Commissioner's Office fined LastPass £1.2 million ($1.6 million) for security failings affecting an estimated 1.6 million UK users
- Multiple class-action lawsuits pending in the United States, with settlement negotiations ongoing as of early 2026
- Ongoing regulatory scrutiny in multiple jurisdictions
A £1.2 million fine sounds significant until you compare it to $35 million in confirmed stolen funds, and that's just what investigators have traced so far.
The Uncomfortable Lesson
Password managers are supposed to make you more secure. And generally, they do: they enable unique, strong passwords for every site.
But they also create a single point of failure. If attackers get your vault and your master password is weak, everything in that vault is compromised. Not just one account. Everything.
The LastPass breach exposed a grim reality: encrypted data isn't permanently secure. It's secure until computing power catches up or until someone cracks your password. Given enough time and resources, weak encryption or weak passwords will fail.
For crypto holders, the stakes are especially high. A stolen email password is annoying. A stolen seed phrase means irreversible loss of funds.
What You Should Do
If You Used LastPass in 2022
Assume your vault was stolen. Change every password stored in it. All of them. Rotate crypto seed phrases to new wallets. This is tedious and urgent.
Move Crypto to New Wallets
If you stored seed phrases or private keys in LastPass, those wallets are compromised. Generate new wallets on a clean device and transfer all funds immediately.
Use Hardware Wallets
Never store crypto private keys in any password manager. Use dedicated hardware wallets (Ledger, Trezor) that keep keys offline and require physical confirmation.
Evaluate Your Master Password
For any password manager, your master password should be long (16+ characters minimum), random, and unique. Not a modified dictionary word. Not reused anywhere.
Enable All Security Features
Use the strongest available encryption settings. Enable multi-factor authentication. Consider password managers with zero-knowledge architecture where even the provider can't access your vault.
Consider Alternatives
If the LastPass breach has shaken your confidence, explore alternatives like Bitwarden, 1Password, or self-hosted options like Vaultwarden. Each has trade-offs, so research them.
This Isn't Over
Attackers still have those 30 million encrypted vault backups. As computing power increases and cracking techniques improve, more passwords will fall.
Users who had "pretty good" passwords in 2022 might find them cracked in 2027. The breach is a permanent time bomb for anyone who stored sensitive data and never rotated their credentials.
The lesson isn't that password managers are bad. It's that stolen encrypted data is a long-term liability, and your security decisions from years ago can haunt you indefinitely.
References
- The Hacker News - LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds (December 2025)
- BleepingComputer - Cryptocurrency theft attacks traced to 2022 LastPass breach (December 2025)
- TRM Labs - Stolen Crypto from 2022 LastPass Breach Traced to Russian Cybercriminal Involvement (December 2025)
- Krebs on Security - Feds Link $150M Cyberheist to 2022 LastPass Hacks (March 2025)
- TechRadar - Historic LastPass breach enabling cryptocurrency theft, investigation reveals (December 2025)