A Russian cybercrime group is believed to be behind the laundering of more than $35 million in cryptocurrency stolen from LastPass users, according to a report by blockchain analytics firm TRM Labs.
TRM Labs' analysis suggests that the withdrawals from crypto wallets over the past years are all linked to the LastPass hack in 2022. The report also notes that the stolen funds moved through illicit financial systems connected to the Russian cybercrime underworld.
How Russian cybercriminals launder stolen money.
Researchers at TRM Labs discovered that the attack group used multiple security protocols to conceal the flow of funds, but ultimately still transferred the money to platforms in Russia.
The report also stated that the perpetrators continued to withdraw funds from the compromised wallets until the end of 2025.
These individuals have been continuously laundering money through conversion channels previously used by Russian cybercrime groups. One such exchange is Cryptex – which is currently on the blacklist of the U.S. Office of Foreign Asset Control (OFAC) .
TRM Labs stated that they identified chain on-chain signatures indicating that the thefts were carried out by a coordinated group.
The attackers continuously convert non-Bitcoin assets to Bitcoin through fast swap platforms. This money is then further channeled into mixing services such as Wasabi Wallet and CoinJoin .
These tools combine funds from multiple users to obfuscate transaction history, which in theory would make tracing transactions extremely difficult.
However, the report points out that these security technologies still have major weaknesses. TRM analysts can "untangle" these transactions through continuous behavioral analysis.
The investigative team tracked specific digital traces, such as how wallet software entered private keys, thereby tracing the flow of funds. This allowed them to track asset flows through secure protocols and identify the final destination at exchanges in Russia.
Besides Cryptex, investigators also discovered that approximately $7 million in stolen assets had been transferred to Audi6, another exchange service operating within a cybercrime network in Russia.
The role of Russian crypto platforms in money laundering from LastPass. Source: TRM LabsThe report also stated that wallets interacting with the money-mixing service showed “operational links to Russia ” both before and after the money laundering. This suggests that the hackers were not only renting infrastructure but were operating directly from Russia.
The research findings further highlight the role of crypto platforms in Russia in facilitating global cybercrime.
By providing liquidation and withdrawal channels for stolen digital assets, these exchanges have enabled criminal groups to convert stolen data into real money while circumventing international law .
