Developers of LastPass have alerted users to a large-scale phishing operation that began in mid‑October 2025. The campaign impersonates “emergency access” and inheritance notifications, falsely claiming the account owner has died and that a trusted contact uploaded a death certificate. The lure is designed to drive victims to phishing pages where they are pressured to enter their master password or approve actions that expose credentials and cryptocurrency assets.
Threat actor profile: CryptoChameleon (UNC5356) targets password managers and passkeys
According to the analysis, a financially motivated group tracked as CryptoChameleon (UNC5356) is behind the activity. The same actor targeted LastPass users in early 2024 and has expanded tooling and scope in the current wave. Notably, the group now aims at both master passwords and passkeys—FIDO2/WebAuthn-based authentication keys increasingly supported by modern password managers.
Attack chain: spoofed inheritance flow and high-fidelity phishing pages
Abusing LastPass emergency access/inheritance semantics
LastPass offers an inheritance-style Emergency Access feature: a trusted contact can request access if the owner is deceased or incapacitated. If the owner does not deny the request within a set window, access is granted. The attackers forge such notifications, complete with a fabricated “request ID” and claims that a relative uploaded a death certificate, and push recipients to “cancel the operation immediately” via a link.
Deceptive domains and phone-based social engineering
Links in the emails lead to phishing sites such as lastpassrecovery[.]com, which prompt victims for their master password. Other domains aim to intercept passkey flows, including mypasskey[.]info and passkeysetup[.]com. Researchers also observed multi-step social engineering: in some cases, actors call targets while posing as LastPass staff to shepherd them through login on counterfeit pages.
From wallets to work: credential harvesting across personal and enterprise accounts
CryptoChameleon employs a specialized phishing kit tuned for cryptocurrency holders, imitating login portals for Binance, Coinbase, Kraken, and Gemini. To widen access and bypass enterprise defenses, the kit also clones identity and email providers such as Okta, Gmail, iCloud, and Outlook. This blend allows attackers to pivot between personal and corporate ecosystems, increasing the likelihood of monetization and deeper compromise.
Why passkeys are in the crosshairs—and how phishing still works
Passkeys are passwordless credentials based on asymmetric cryptography (FIDO2/WebAuthn). The private key stays on the user’s device, and services verify a cryptographic signature. Leading password managers—including LastPass, 1Password, Dashlane, and Bitwarden—now store and sync passkeys. Rather than “breaking” the cryptography, adversaries adapt by phishing the flow: they replicate sign-in prompts, coerce approvals, and exploit users’ trust in familiar branding to elicit authentication on attacker‑controlled domains.
How to recognize the scam and reduce risk
Verify the URL before any action. Official LastPass domains do not include extra words, unusual TLDs, or recovery/setup-themed variations. Phishing sites often embed terms like “recovery,” “setup,” or “security.”
Do not click email links about Emergency Access. Navigate to LastPass by manually typing the address or using a trusted bookmark, then check account notifications directly in the product UI.
Treat unsolicited calls as social engineering. LastPass representatives do not ask you to enter passwords or approve actions on third-party pages. Hang up and contact support through official channels.
Enforce multi-factor authentication (MFA) everywhere. Hardware-backed or phishing-resistant factors reduce the blast radius of a stolen password or a single misstep.
Invest in phishing awareness. Industry reporting—such as Verizon’s DBIR 2024 and the FBI IC3—consistently ranks phishing among the top initial access vectors, underscoring the value of continuous training and simulations.
By exploiting the familiar Emergency Access mechanism, this campaign resonates with a broad audience—from individual users to employees behind SSO/IdP—while its emphasis on passkeys shows how quickly adversaries retool for new authentication standards. Users should confirm any critical actions exclusively within the official LastPass interface, routinely review security settings (including trusted contacts and inheritance parameters), and report suspicious emails or calls directly to LastPass support. Vigilance, URL discipline, and strong MFA are the most effective countermeasures against this evolving social-engineering playbook.
