LastPass Breach Cryptocurrency Theft Attacks Continue Through 2025

What happened

LastPass breach cryptocurrency theft attacks continue through 2025 as investigators from TRM Labs have traced ongoing wallet drains back to encrypted password vaults stolen in the 2022 LastPass security breach, showing attackers are still cracking weak master passwords and siphoning funds years after the initial compromise. 

Who is affected

Users of the LastPass password manager whose encrypted vault backups were stolen in the 2022 breach and who stored cryptocurrency private keys or seed phrases within those vaults are directly at risk. The long-tail nature of the incident means that individuals and organizations with exposed credentials have seen wallet drains and thefts as recently as late 2025, with tens of millions of dollars in digital assets traced to the compromised vault data. 

Why CISOs should care

CISOs need to pay attention because this case highlights how old breaches can continue to cause material financial loss long after the initial incident — especially when encrypted data can be brute-forced offline. The exploitation of weak master passwords combined with high-value assets like cryptocurrency underscores the importance of strong encryption practices, password hygiene, credential rotation policies, and proactive risk communication to users. Additionally, the linkage of laundering activity through known Russian-associated cryptocurrency exchanges signals broader geopolitical and threat actor considerations. 

3 practical actions

1. Enforce Strong Master Password Policies: Mandate long, complex, unique master passwords for any password management system and enforce high iteration counts to make offline brute-forcing impractical.
2. Rotate and Revoke After Breaches: Immediately rotate stored credentials, private keys, and secrets after a breach, and advise users to migrate high-value assets like crypto wallets to cold storage or hardware security modules.
3. Monitor Crypto-Related Threat Intelligence: Integrate blockchain threat intelligence feeds to detect illicit fund movements tied to known breaches and update incident response and risk assessments with evolving threat actor tactics.