LastPass Breach Shows Russian Cybercrime on Chain, Justin Sun

• TRM traced LastPass-linked wallet drains to high-risk Russian exchanges, showing organized laundering and cybercriminal control.

• Over $28M in crypto moved through Wasabi Wallet using SegWit and RBF patterns, revealing consistent hacker signatures.

• Mixers fail to fully hide activity; repeated off-ramps and geographic patterns expose systemic Russian cybercrime infrastructure.

A major 2022 LastPass breach continues to impact users globally, highlighting critical on-chain risks. Tron Founder Justin Sun tweeted, “Worth reading. trmlabs traced recent wallet drains linked to the 2022 LastPass breach and shows how funds moved through mixers and off ramps.”

As per the TRM report, the breach exposed backups of roughly 30 million customer vaults containing sensitive credentials, including crypto private keys. Hackers downloaded the encrypted vaults in bulk, creating a long-term risk for users with weak master passwords. Over 25 million users could face gradual asset drains years after the initial hack.

TRM analysts traced recent wallet drains through mixers and onto high-risk Russian exchanges, with one exchange receiving LastPass-linked funds as recently as October 2025. The firm highlighted repeated interaction with Russia-associated infrastructure and consistent control across pre- and post-mix activity.

Consequently, TRM assessed Russian cybercriminal involvement in these laundering operations. “These findings offer a clear on-chain view of how the stolen assets are being moved and monetized,” TRM noted, emphasizing the scale of the threat.

Demixing Reveals Stolen Fund Flows

TRM identified a consistent on-chain signature across the thefts, including SegWit usage and Replace-by-Fee transactions. Non-Bitcoin assets converted quickly to Bitcoin via instant swaps before entering Wasabi Wallet.

Analysts estimate over USD 28 million in cryptocurrency was stolen and laundered through Wasabi between late 2024 and early 2025. TRM analyzed clusters of deposits and withdrawals as coordinated campaigns, demonstrating continuity in the laundering process.

“Early Wasabi withdrawals occurred within days of the initial wallet drains, suggesting that the attackers themselves were responsible,” the report noted.

Russian Exchanges as Persistent Off-Ramps

Stolen funds passed through Russian exchanges, including the defunct Cryptomixer.io and Audi6, reinforcing the network’s continuity. Repeated use of these off-ramps indicates systemic Russian cybercrime infrastructure.

TRM’s findings underline that mixers cannot fully hide illicit activity, as geographic and operational patterns reveal attacker control. Additionally, these exchanges remain central in laundering for ransomware groups and sanctions evaders.