Russian cybercriminals likely laundered more than $35 million in cryptocurrency stolen from LastPass users through Russia-based exchanges and privacy tools. Researchers traced the stolen funds to illicit platforms tied to Russia's cybercriminal underground.
What Happened: Systematic Laundering Operation
TRM Labs researchers linked the multi-year theft to the 2022 LastPass breach, finding that attackers continued draining compromised vaults through late 2025.
The analysis identified a coordinated group using privacy protocols to obscure transaction trails before routing funds to Russian platforms.
The perpetrators converted non-Bitcoin assets into Bitcoin through instant swap services, then moved funds to mixing tools including Wasabi Wallet and CoinJoin. These services pool transactions from multiple users to scramble histories, but analysts successfully reversed the mixing process through behavioral continuity analysis.
Investigators traced approximately $7 million to Audi6, an exchange operating within Russia's cybercriminal ecosystem. Additional funds moved through Cryptex, an exchange currently sanctioned by the US Office of Foreign Assets Control.
Also Read: Analyst Warns Bitcoin May Need a Drop Below $80,000 to Flush Weak Holders
Why It Matters: Infrastructure Enabling
The investigation revealed operational ties to Russia both before and after the laundering process, suggesting direct regional operation rather than rented infrastructure.
Analysts identified consistent on-chain signatures linking the thefts to a single coordinated group.
The findings demonstrate how Russian cryptocurrency platforms provide liquidity and off-ramps for stolen digital assets. By tracking specific digital footprints, including wallet software behavior when importing private keys, investigators unwound the mixing process and traced deposits to Russian exchanges.
Read Next: Bitcoin Mining Difficulty Ends 2025 with Modest Rise After 3-Month Decline