Cryptocurrency Thefts Traced to 2022 Breach

Investigators from TRM Labs say that a series of cryptocurrency thefts that occurred years after the initial compromise can be traced to stolen password vaults from a major password manager.

Lawrence Abrams reports in BleepingComputer that the attacker’s MO, waiting for an extended period before draining digital wallets, complicates detection and recovery.

The events began in 2022, when attackers accessed internal systems and later obtained encrypted customer vault backups stored with a third-party cloud provider. Some vaults contained login credentials alongside private keys and seed phrases for cryptocurrency wallets.

Although they were encrypted, vaults protected by weak or reused master passwords were vulnerable to offline cracking. Federal investigators later seized more than $23 million in stolen cryptocurrency. They stated in court filings that the victims’ devices showed no evidence of phishing or malware, which supports a connection to the compromised vault data.

A recent blockchain analysis connected multiple waves of wallet drains to this breach pattern, rather than new intrusions. The thefts shared transaction characteristics indicating that attackers already possessed private keys before funds were moved.

Researchers traced laundering activity by examining transaction timing, structure, and clustering behavior. Treating the activity as a coordinated campaign enabled attribution of more than $28 million in losses from late 2024 and early 2025. An additional $7 million was linked to a later wave. Repeated cash-outs through Russian-linked exchanges were identified.

The findings demonstrate long-tail exposure from breaches involving encrypted repositories and sensitive credentials. Lawyers should note that their risk assessments must consider delayed financial harm, evolving attribution evidence, and cross-border enforcement limits.

Clients should be advised to carefully evaluate password security practices, third-party storage arrangements, and incident disclosures. Litigation and regulatory risk may emerge years after an initial breach.