LastPass has issued an urgent warning to its users regarding a significant phishing operation that began in mid-October. The campaign uses convincing emails that notify recipients of a purported “legacy inheritance” request, claiming a family member uploaded a death certificate to gain emergency access to the vault. Investigators have linked the domains and infrastructure used in this attack to a sophisticated, financially motivated threat group known as CryptoChameleon, or UNC5356, which is well-known for utilizing a specialized phishing kit to target cryptocurrency wallets like Binance, Coinbase, and Kraken, often leveraging fake sign-in pages for services such as Okta and Gmail.
The attack leverages the legitimate LastPass emergency access feature, which is designed to allow a designated individual to request access to the account holder’s vault in the event of death or incapacitation. When a legitimate request is opened, the user is notified via email and access is automatically granted after a specified waiting period, unless the user manually intervenes. The fraudulent emails mimic this process, even including a fabricated agent ID number to bolster credibility, and urge the recipient to “cancel” the request if they are not deceased. This urgent call to action is the core of the social engineering tactic, manipulating users into clicking a malicious link.
Upon clicking the cancellation link, victims are redirected to a fraudulent website, lastpassrecovery[.]com, where they are prompted to enter their master password into a login form. In some reported cases, the threat actors escalated the attack by directly calling the victims while posing as LastPass support staff, effectively directing them to the phishing site to input their credentials. This multi-layered approach highlights the group’s determination to harvest highly sensitive information for financial gain, building on a similar, though less extensive, campaign that targeted LastPass users back in April 2024.
A critical enhancement in this newest iteration of the CryptoChameleon attack is its focus on obtaining passkeys. LastPass reports that the attackers are now employing passkey-focused phishing domains, such as mypasskey[.]info and passkeysetup[.]com, indicating a clear attempt to steal these passwordless credentials. Passkeys, which rely on asymmetric cryptography via FIDO2 / WebAuthn protocols, represent the modern standard for authentication. As contemporary password managers, including LastPass, 1Password, and Bitwarden, increasingly store and synchronize passkeys across devices, they have become a direct and lucrative target for advanced threat actors.
This ongoing compromise adds to the security challenges LastPass has faced since a major data breach in 2022, during which attackers successfully stole encrypted vault backups. That breach was subsequently linked to targeted cryptocurrency theft that resulted in millions of dollars in losses. The current, broader, and more technically enhanced phishing campaign by CryptoChameleon underscores the persistent threat landscape, pushing users to remain vigilant against attempts to exploit both their master passwords and their newer, more secure passkey credentials.
Reference:
