Back to Blog

The 2022 LastPass Breach Is Still Draining Crypto Wallets in 2025: $35M Stolen

December 25, 2025 10 min read Security, Passwords, Cryptocurrency

Here's a chilling thought for the holidays: a data breach from 2022 is still actively stealing money from victims in 2025. And not just pocket change—we're talking about $35 million in cryptocurrency, drained from wallets whose owners thought their passwords were safely encrypted.

New research from blockchain intelligence firm TRM Labs reveals that Russian cybercriminals have been systematically cracking the encrypted password vaults stolen in the infamous 2022 LastPass breach. The attackers are targeting weak master passwords, and the theft campaign is ongoing as of late 2025.

If you ever used LastPass—especially before 2023—this article might save you from becoming the next victim.

Urgent: If you used LastPass before December 2022 and stored cryptocurrency private keys or seed phrases in your vault, you should assume your data is compromised. Rotate all credentials immediately—especially crypto wallets.

What Happened: The 2022 LastPass Breach

In August 2022, LastPass disclosed that hackers had breached their systems. At first, the company downplayed the incident. But by December 2022, they revealed the full extent: attackers had stolen encrypted password vault backups containing customer credentials.

This included:

  • Encrypted password vaults containing all stored credentials
  • Customer email addresses
  • Billing addresses
  • IP addresses and browser metadata
  • Vault metadata (website URLs were not encrypted)

LastPass assured users that the vaults were encrypted with AES-256 and could only be decrypted with the user's master password. They warned that attackers might try brute-force attacks against weak master passwords—but many users assumed their passwords were safe.

They were wrong.

The Multi-Year Theft Campaign

According to TRM Labs, cybercriminals—with strong links to Russian criminal infrastructure—have been quietly cracking stolen vaults for years. Their method is devastatingly simple:

  1. Take the encrypted vault backup (stolen in 2022)
  2. Attempt to crack the master password offline using brute-force or dictionary attacks
  3. If the password is weak, decrypt the vault
  4. Extract cryptocurrency private keys and seed phrases
  5. Drain the wallets

Key insight: Because attackers have the encrypted vault files, they can crack passwords offline—with no rate limiting, no lockouts, and unlimited time. A weak master password that might take years to crack online can be broken in days or hours offline.

The Numbers Are Staggering

TRM Labs has traced more than $35 million in stolen cryptocurrency linked to the LastPass breach:

Time Period Amount Stolen Method
Late 2024 - Early 2025 $28 million Converted to Bitcoin, laundered via Wasabi Wallet
September 2025 $7 million Second wave of thefts detected
Total $35+ million Ongoing as of October 2025

And these are just the thefts that TRM Labs could trace. The actual figure is likely higher.

The Russian Connection

TRM Labs has identified strong links between the stolen funds and Russian cybercriminal infrastructure. The evidence includes:

  • Repeated use of Russia-associated exchanges as off-ramps
  • Funds routed through Cryptex—a Russian exchange sanctioned by the U.S. Treasury in September 2024 for receiving $51.2 million in ransomware proceeds
  • Use of Audia6—another Russian exchange associated with illicit activity
  • Cryptomixer.io used for laundering
  • Consistent operational patterns across pre- and post-mixing activity

Despite the attackers using CoinJoin mixing techniques (via Wasabi Wallet) to obscure the money trail, TRM Labs was able to "demix" the activity by analyzing clustered withdrawals and peeling chains.

"This is a clear example of how a single breach can evolve into a multi-year theft campaign. Even when mixers are used, operational patterns, infrastructure reuse, and off-ramp behavior can still reveal who's really behind the activity."

Ari Redbord, Global Head of Policy, TRM Labs

LastPass Fined $1.6 Million

Earlier this month, the UK Information Commissioner's Office (ICO) fined LastPass $1.6 million for failing to implement "sufficiently robust technical and security measures" to prevent the breach.

The fine is a slap on the wrist compared to the $35+ million stolen from users—but it officially confirms what security researchers have been saying: LastPass's security was inadequate.

Key failures identified include:

  • Insufficient protection of the development environment
  • Weak access controls that allowed lateral movement
  • Failure to detect the breach for months
  • Misleading communications that downplayed the severity

Why Weak Master Passwords Are So Dangerous

The LastPass breach is a textbook example of why master password strength matters more than anything else when using a password manager.

Here's the math: If your master password is a common word, a name, or a simple pattern like Password123!, attackers with modern hardware can crack it in:

  • 8-character password with complexity: Hours to days
  • 10-character common password: Minutes to hours
  • 12-character passphrase: Months to years
  • 16+ character random passphrase: Effectively uncrackable

The Solution: Use a 15+ character passphrase as your master password. Something like correct-horse-battery-staple-mountain is both memorable and practically uncrackable. For more on modern password best practices, read our guide: Everything You Know About Passwords Is Wrong: NIST 2025 Guidelines.

The attackers behind the LastPass thefts aren't targeting everyone—they're targeting the low-hanging fruit. Users with strong, unique master passwords are likely still safe. Users with weak passwords are sitting ducks.

What You Should Do Right Now

If you ever used LastPass, especially before the breach was disclosed in late 2022, take these steps immediately:

1. Assume Your Vault Is Compromised

If your master password was weak (under 14 characters, based on a word, or reused elsewhere), assume attackers can access your vault.

2. Rotate All Cryptocurrency Credentials

If you stored private keys, seed phrases, or exchange passwords in LastPass:

  • Create new wallets with fresh seed phrases
  • Transfer all funds to the new wallets
  • Abandon the old wallets completely
  • Update exchange passwords and enable 2FA everywhere

3. Rotate All Other Sensitive Credentials

Change passwords for:

  • Email accounts (especially your primary email)
  • Banking and financial services
  • Cloud storage (Google Drive, Dropbox, iCloud)
  • Social media accounts
  • Any account with sensitive personal data

4. Switch to a More Secure Password Manager

Consider alternatives with better security track records:

  • 1Password — Uses Secret Key in addition to master password
  • Bitwarden — Open source, audited, self-host option
  • KeePassXC — Local-only, no cloud (maximum security)

5. Use a Strong Master Password Going Forward

Your new master password should be:

  • At least 15 characters (20+ is better)
  • A passphrase (random words, not a single word)
  • Unique (never used anywhere else)
  • Memorized (don't store it digitally)

Frequently Asked Questions

I used LastPass but my master password was strong. Am I safe?

Probably, but not guaranteed. If your master password was truly random and 15+ characters, the encrypted vault is likely still secure. However, vault metadata (including website URLs) was not encrypted, so attackers know what sites you have accounts on. Consider rotating critical credentials anyway.

How do I know if my crypto was stolen via LastPass?

If you stored crypto private keys or seed phrases in LastPass and your wallet was drained without explanation, the LastPass breach is a likely culprit—especially if the theft happened between 2023-2025 with no other obvious attack vector.

Why didn't LastPass warn users more strongly?

LastPass did warn that brute-force attacks were possible against weak passwords, but many users underestimated the risk. The $1.6 million fine from the UK ICO suggests regulators agree that LastPass's response was inadequate.

Can I sue LastPass?

Multiple class-action lawsuits have been filed against LastPass and its parent company GoTo. If you suffered financial losses, you may be eligible to join a lawsuit. Consult with a lawyer familiar with data breach litigation.

Is this over, or are more thefts coming?

More thefts are likely. TRM Labs notes that attackers can continue cracking weak passwords for years. As computing power increases and password-cracking tools improve, more vaults will be compromised. The only protection is a strong master password—or rotating all your credentials.

The Bigger Lesson

The LastPass breach teaches us several critical lessons about digital security:

  1. Encryption is only as strong as your password. AES-256 is unbreakable—but your master password isn't.
  2. Breaches have long tails. Data stolen today can be exploited for years. A 2022 breach is still causing damage in 2025.
  3. Cloud services are targets. Centralized password managers are high-value targets for attackers. Consider the trade-offs.
  4. Assume breach, plan accordingly. If you stored sensitive data in any cloud service, have a plan for what to do if that data is compromised.

Defense in depth: Don't store your most critical secrets (like crypto seed phrases) in any cloud service. Write them on paper and store them in a physical safe. No hacker can brute-force a piece of paper.

Conclusion

The 2022 LastPass breach has become a multi-year theft campaign that's still claiming victims in late 2025. Russian cybercriminals have stolen at least $35 million by cracking weak master passwords—and they're not done yet.

If you used LastPass before the breach:

  • Rotate all sensitive credentials immediately
  • Move crypto to new wallets with fresh seed phrases
  • Switch to a password manager with better security
  • Use a 15+ character passphrase as your master password

This breach is a stark reminder that password strength isn't optional—it's everything. The difference between a crackable password and an uncrackable one could be $35 million.

Protect Your Digital Life: Start with the basics—check your current security posture. Visit myip.foo to see what data you're exposing, then read our NIST password guidelines to build stronger passwords. For a complete security overhaul, follow our Privacy Checklist 2026.

Stay secure. Use strong passwords. Don't become a statistic.