Security researchers and law enforcement say a string of cryptocurrency thefts traced back to LastPass’s 2022 breach resurfaced as a coordinated laundering campaign in late 2024 and early 2025. Blockchain forensics tied the thefts to data taken during the 2022 incident — including source code, proprietary data and backups that contained encrypted password vaults with stored crypto wallet keys — and showed funds being drained in patterned waves years after the initial breach. Reporting and technical analysis are summarized in this account. https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/

What was taken in 2022
LastPass disclosed that attackers exfiltrated source code and other proprietary materials during the 2022 compromise, and at a later stage accessed backups that included encrypted password vaults. Those vaults can contain credentials and private keys for custodial or non-custodial crypto wallets — assets that remain valuable long after a breach when criminals find a way to unlock or otherwise exploit the contents.

How the thefts played out
Blockchain analysis by TRM Labs showed a consistent operational pattern: wallets associated with accounts tied to the compromised vaults were emptied in multiple waves across months, with transaction flows and timing that matched a single campaign. The stolen assets were routed through a sequence of transactions that ended at Russian cryptocurrency exchanges, and substantial portions were passed through Wasabi Wallet’s CoinJoin mixer to complicate tracing.

Scale and enforcement response
TRM Labs estimates the campaign moved and laundered more than $28 million via Wasabi CoinJoin clusters during late 2024 and early 2025. U.S. law enforcement has taken action: the U.S. Secret Service seized over $23 million in crypto linked to these operations. The combination of blockchain analytics and cross-border enforcement disrupted a large fraction of the value, but not before sizable amounts were blended and distributed.

Tactical lessons for defenders and investors

• Long tail risk: Breached data that includes credentials or encrypted vaults can retain operational value for years; attackers may exploit delayed decryption, credential reuse, or other post-breach paths to monetize the information long after the initial incident.
• Mixing is not bulletproof: CoinJoin-style mixers raise the cost and complexity of tracing but do not make illicit flows invisible to advanced analytics. Persistent pattern matching, clustering, and exchange compliance can still yield recoveries.
• Password managers and key custody: The case underscores structural risk when password managers store keys or credentials for high-value assets. Strong master-password practices, hardware-based key custody for crypto, and periodic vault rotation reduce exposure.
• Law enforcement + analytics: Coordinated forensic work between private analytics firms and law enforcement remains the most effective countermeasure against multistage laundering campaigns that cross jurisdictional boundaries.

Operational implication for markets
The incident highlights how a single breach in widely used infrastructure can create a delayed and concentrated source of illicit liquidity that then interacts with regulated and unregulated on-ramps. For exchanges and compliance teams, prioritizing attribution signals and rapid response to flagged deposit chains reduces the window available for criminals to cash out or obfuscate provenance.