The article explains that a new investigation from blockchain analytics firm TRM Labs links ongoing cryptocurrency thefts to the 2022 LastPass breach. In that incident, attackers ultimately obtained encrypted LastPass vault backups (via a related compromise involving GoTo storage), and some victims had stored crypto wallet seed phrases or private keys inside those vaults. Because the vaults were encrypted, the thefts did not always happen immediately; instead, the report describes waves of wallet-draining events months or even years later, consistent with criminals gradually cracking weak or reused master passwords offline and then using the recovered wallet secrets to empty accounts. The story notes this pattern was also supported by a U.S. Secret Service case in which investigators saw no malware or phishing on victims’ devices and concluded the private keys were likely obtained from decrypted password-vault data.

It then focuses on how TRM followed the money. After draining wallets, the attackers allegedly converted assets to Bitcoin and tried to hide the trail using Wasabi Wallet’s CoinJoin feature (a privacy method that mixes many users’ transactions together). TRM says it could still connect the flows by analyzing transaction behavior (structure, timing, wallet configuration), treating the incidents as a coordinated campaign rather than isolated thefts. Based on that work, TRM estimates over $28 million was stolen and laundered in late 2024/early 2025, with another $7 million tied to a later wave in September 2025, and that funds were repeatedly cashed out through the same Russia-linked exchanges (including Cryptex and Audi6)—suggesting consistent operational control behind the laundering.

Source: https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/