Redazione RHC : 29 October 2025 09:03
The developers of password manager LastPass have warned users of a large-scale phishing campaign that began in mid-October 2025. Attackers are sending emails containing fake requests for emergency access to the password vault, related to the death of users.
According to experts, the financially motivated hacker group CryptoChameleon (also known as UNC5356 ) is behind this campaign. The group specializes in cryptocurrency theft and previously attacked LastPass users in April 2024.
The new campaign has proven to be extensive and technologically advanced: attackers are now hunting not only master passwords, but also passkeys.
CryptoChameleon uses a specialized phishing kit that targets cryptocurrency wallets from Binance, Coinbase, Kraken, and Gemini. In its attacks, the group actively leverages fake login pages for Okta, Gmail, iCloud, and Outlook.
In a new campaign, scammers are abusing LastPass’s emergency access feature. The password manager has a succession mechanism that allows trusted contacts to request access to the vault in the event of the account holder’s death or incapacity .
Upon receipt of such a request, the account owner is notified and, if they do not cancel the request within a specified period of time, access to the account is automatically granted.
In their emails, phishers claim that a family member has requested access to the victim’s storage space by uploading a death certificate. To make the message more convincing, a fake request ID is included. The recipient is encouraged to immediately cancel the request, if they are still alive, by clicking the provided link.
Naturally, these links lead to the fraudulent website lastpassrecovery[.]com , where the victim is asked to enter their master password . Researchers noted that in some cases, attackers even called victims, posing as LastPass employees, and convinced them to enter their credentials on a phishing site.
A distinctive feature of this campaign is the emphasis on passkey theft. To this end, attackers use specialized domains such as mypasskey[.]info and passkeysetup[.]com.
Passkey is a modern passwordless authentication standard based on the FIDO2/WebAuthn protocols. Instead of traditional passwords, the technology uses asymmetric encryption. Modern password managers (including LastPass, 1Password, Dashlane, and Bitwarden ) can store and synchronize passkeys across all devices. And, as experience shows, attackers have quickly adapted to these changes.
LastPass users are advised to remain vigilant and pay close attention to any emails regarding emergency or legacy access requests. The developers remind users to always check URLs before entering their credentials and also emphasize that LastPass representatives will never call users asking them to enter their password on any website.
Redazione