Fresh findings from a blockchain intelligence firm point to Russian cybercriminal groups as the main actors behind the laundering of more than $35 million in cryptocurrency stolen from LastPass users.
The analysis connects the long running drain of digital assets to the 2022 breach of the password manager LastPass. According to the report, the stolen cryptocurrency was moved through illicit financial infrastructure associated with Russia’s cybercriminal ecosystem. The activity has reportedly continued for several years, with compromised crypto wallets still being emptied as recently as late 2025.
Researchers found that the attackers relied on privacy focused tools to hide transaction trails. Despite these efforts, the funds were eventually routed to platforms operating from Russia. The report states that the hackers followed a consistent laundering pattern that has been used by Russian threat actors in previous cybercrime cases.
As part of the process, the stolen assets were first converted into Bitcoin using instant swap services. The funds were then passed through mixing services such as Wasabi Wallet and CoinJoin. These services pool transactions from multiple users to make tracking difficult. However, investigators were able to reverse the mixing by applying behavioural continuity analysis.
By studying repeated digital patterns, including how wallet software imported private keys, analysts managed to trace the funds beyond the privacy layers. This revealed their final movement into Russia based crypto exchanges. One such platform was Cryptex, which is currently sanctioned by the United States Office of Foreign Assets Control. Investigators also traced around $7 million in stolen cryptocurrency to Audi6, another exchange linked to the Russian cybercrime network.
The report notes that the wallets interacting with these services showed clear operational links to Russia both before and after the laundering activity. This suggests the attackers were operating directly from the region rather than using rented infrastructure.
The findings highlight how certain crypto platforms continue to play a key role in enabling global cybercrime by offering off ramps and liquidity for stolen digital assets.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
