Russian cybercriminals are likely responsible for laundering over 35 million USD in cryptocurrencies stolen from LastPass users, according to a report by analytics firm TRM Labs.
Experts have linked the years-long draining of cryptocurrency wallets to the 2022 breach of the LastPass password manager. They noted that the stolen funds flowed through illegal financial infrastructure associated with the Russian cybercrime underground.
How did Russian cybercriminals launder the stolen funds?
TRM Labs researchers determined that the attackers used privacy protocols to conceal the money trails. However, they ultimately transferred funds to platforms operating in Russia.
According to the report, the perpetrators continued to move assets from compromised safes as late as the end of 2025.
Cybercriminals systematically laundered stolen funds through off-ramps, which Russian threat groups often utilize. One such place was the Cryptex exchange, currently sanctioned by OFAC (the U.S. Office of Foreign Assets Control).
TRM Labs announced that it had identified a 'consistent chain signature' linking the thefts to one coordinated group.
The attackers repeatedly exchanged non-Bitcoin assets for BTC using instant swap services. They then transferred funds to mixers such as Wasabi Wallet and CoinJoin.
These tools serve to combine funds from multiple users to obscure transaction histories and theoretically make tracking impossible.
However, the report points to a significant flaw in these privacy technologies. Analysts were able to 'unmix' transactions by applying behavioral continuity analysis.
Investigators observed specific digital traces, such as the method of importing private keys into wallet software. They then effectively reconstructed the mixing process. This allowed them to track digital currency through privacy protocols and see its final deposit on Russian exchanges.
Aside from Cryptex, investigators traced approximately 7 million USD in stolen funds to Audi6, another exchange service operating within the Russian cybercrime ecosystem.
The report indicates that wallets using mixers exhibited 'operational links' to Russia both before and after the laundering process. This suggests that hackers not only rented infrastructure but operated directly from the region.
The findings highlight how Russian cryptocurrency platforms support global cybercrime.
By providing liquidity and off-ramps for stolen digital assets, these exchanges allow criminal groups to monetize data leaks and evade international law enforcement.
To check out the latest cryptocurrency market analysis from BeInCrypto, click here.
