Russian Cybercrime Networks Tied to $35 Million LastPass Crypto Laundering

Russian cybercriminals are likely responsible for the laundering of more than $35 million in cryptocurrency stolen from LastPass users, according to a report by blockchain intelligence firm TRM Labs.

The analysis linked the multi-year drain of crypto wallets to the 2022 breach of the password manager LastPass. It noted that the stolen funds moved through illicit financial infrastructure tied to Russia’s cybercriminal underground.

How Russian Cybercriminals Laundered the Stolen Funds

TRM Labs researchers found that the attackers used privacy protocols to obscure the money trail, but ultimately routed the funds to Russia-based platforms.

According to the report, the perpetrators have continued to siphon assets from compromised vaults as recently as late 2025.

The malicious actors systematically laundered the stolen funds through off-ramps that Russian threat actors have historically used. One of those venues was Cryptex, an exchange currently sanctioned by the US Office of Foreign Assets Control (OFAC).

TRM Labs said they identified a “consistent on-chain signature” tying the thefts to a single, coordinated group.

The attackers repeatedly converted non-Bitcoin assets into Bitcoin using instant swap services. The funds were then moved to mixing services such as Wasabi Wallet and CoinJoin.

These tools are designed to pool funds from multiple users to scramble transaction histories, theoretically making them untraceable.

However, the report highlights a significant failure in these privacy technologies. Analysts were able to “de-mix” the transactions using behavioral continuity analysis.

Investigators tracked specific digital footprints, such as how wallet software imported private keys, and successfully unwound the mixing process. This allowed them to follow the digital currency through the privacy protocols and observe its final deposit into Russian exchanges.

In addition to Cryptex, investigators traced approximately $7 million in stolen funds to Audi6, another exchange service operating within the Russian cybercriminal ecosystem.

The report notes that the wallets interacting with the mixers showed “operational ties” to Russia both before and after the laundering process. This suggests the hackers were not merely renting infrastructure but operating directly from the region.

The findings underscore Russia crypto platforms’ role in enabling global cybercrime.

By providing liquidity and off-ramps for stolen digital assets, these exchanges allow criminal groups to monetize data breaches while evading international law enforcement.