Blockchain analysis has revealed that Russian cybercrime infrastructure has been repeatedly used to launder crypto assets stolen from password manager LastPass users, suggesting that Russia-based criminals may be behind the hacks.
Blockchain analysis company TRM Labs said that all the evidence they found is consistent with involvement by Russian threat actors. The evidence includes repeated interaction with Russia-associated infrastructure, including off-ramps historically used by Russia-based threat actors.
Moreover, wallets that interacted with mixers both before and after the mixing and laundering process indicated operational ties to Russia, "suggesting continuity of control rather than downstream reuse by unrelated actors," TRM said.
However, they have emphasized that "definitive attribution of the original intrusion cannot yet be confirmed."
According to the analysts, more than $28 million in crypto assets was stolen, converted to bitcoin (BTC), and laundered through the privacy-focused Wasabi wallet in late 2024 and early 2025, while another $7 million was tracked in September 2025. In either case, the total $35 million sum is estimated to be only a fraction of total losses.
"Using proprietary demixing techniques, analysts matched the hackers’ deposits to a specific withdrawal cluster whose aggregate value and timing closely aligned with the inflows, an alignment statistically unlikely to be coincidental," they explained, claiming that the reliability of mixing as an obfuscation technique is decreasing.
According to their findings, when criminals rely on consistent infrastructure and geographic ecosystems over time, mixers become less helpful in eliminating attribution risks, as analysts are able to uncover broader operational architecture, including where illicit value ultimately converges.
The analysis has shown that stolen funds were routed through the now-defunct Cryptomixer.io and withdrawn via the sanctioned Russian exchange Cryptex in 2024. The above-mentioned $7 million was sent through Wasabi Wallet before being transferred to Audi6, another Russian exchange associated with criminals.
The 2022 LastPass breach exposed approximately 30 million customer vaults, including those containing stored private keys and seed words for crypto assets. As users failed to move their funds or change passwords, criminals kept stealing crypto assets in waves, with more recent cases registered in 2025.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked