Executive Summary

In mid-October 2025, a sophisticated phishing campaign targeting users of the LastPass password manager was identified and publicly disclosed by multiple security sources. The campaign, attributed to the financially motivated threat group CryptoChameleon (UNC5356), exploits the LastPass inheritance (emergency access) feature by sending fraudulent emails that claim a family member has requested access to the recipient’s password vault due to a supposed death. These emails include fabricated agent IDs and links to convincing phishing sites, prompting users to enter their master passwords or passkeys. In some cases, attackers also contacted victims by phone, impersonating LastPass staff to increase the likelihood of credential disclosure. The campaign is notable for targeting both traditional master passwords and modern passkeys (FIDO2/WebAuthn credentials), as well as credentials for cryptocurrency wallets such as Binance, Coinbase, Kraken, and Gemini. No technical vulnerabilities in LastPass software were exploited; the attack relies entirely on social engineering. The impact is considered high, especially for European organizations with significant LastPass adoption, due to the potential for widespread credential theft, financial loss, and regulatory exposure under GDPR. Immediate mitigation steps include user education, enforcement of multi-factor authentication, and enhanced monitoring for suspicious access attempts. All information in this summary is directly supported by the cited primary sources.

Technical Information

The attack campaign leverages social engineering techniques to exploit the LastPass inheritance feature, which is designed to allow designated individuals to access a user’s password vault in the event of death or incapacity. Attackers send phishing emails that appear to originate from LastPass or a trusted entity, informing the recipient that a family member has submitted a death certificate and requested emergency access to their vault. The email includes a fabricated agent ID and urges the recipient to click a link to cancel the request if they are not deceased. This link directs the user to a fraudulent website, such as lastpassrecovery[.]com, which closely mimics the legitimate LastPass interface and prompts the user to enter their master password.

In addition to email-based phishing, some victims reported receiving phone calls from individuals impersonating LastPass support staff. These calls were used to further pressure users into entering their credentials on the phishing site. The campaign also targets passkeys, a passwordless authentication standard based on the FIDO2/WebAuthn protocols, by using domains such as mypasskey[.]info and passkeysetup[.]com. Passkeys are increasingly stored and synchronized by modern password managers, making them a valuable target for attackers seeking to bypass traditional password-based security.

The infrastructure and phishing kit used in this campaign are attributed to CryptoChameleon (UNC5356), a group known for cryptocurrency theft and for targeting multiple wallet providers, including Binance, Coinbase, Kraken, and Gemini. The phishing kit is capable of creating convincing fake sign-in pages for a variety of services, including Okta, Gmail, iCloud, and Outlook, in addition to cryptocurrency wallets.

No malware deployment has been observed in this campaign; the attack is limited to credential harvesting through phishing. The campaign does not exploit any technical vulnerabilities in LastPass or its infrastructure. Instead, it relies on the effectiveness of social engineering and the trust users place in official-looking communications from LastPass.

The campaign’s technical details map to several MITRE ATT&CK techniques, including Phishing (T1566), Phishing for Information (T1598), Credential Access (TA0006), and Gather Victim Identity Information: Credentials (T1589.001). The attack is notable for its use of emotional manipulation, urgency, and brand impersonation to increase the likelihood of success.

The primary data at risk includes master passwords for LastPass vaults, FIDO2/WebAuthn passkeys, and credentials for cryptocurrency wallets. If a user’s master password or passkey is compromised, all credentials stored in their password vault may be exposed, enabling attackers to access a wide range of personal and organizational accounts.

The campaign began in mid-October 2025 and was publicly disclosed by BleepingComputer and Offseq Radar on October 24, 2025. Cyber News Live and other security news outlets amplified warnings and mitigation advice on October 23-24, 2025. The attack is assessed as high severity due to the sensitive nature of the data at risk, the ease of exploitation, and the potential for cascading breaches across multiple services.

European organizations are particularly at risk due to widespread LastPass adoption and the regulatory implications of credential compromise under GDPR. Sectors most affected include finance and cryptocurrency (due to direct targeting of wallet credentials), enterprise and corporate environments (risk of lateral movement and further breaches), and healthcare and government (high-value targets for espionage and data theft).

The attack is an evolution of previous campaigns by CryptoChameleon, including a similar phishing campaign in April 2024 and follow-on attacks after the 2022 LastPass breach, which resulted in the theft of encrypted vault backups and subsequent cryptocurrency losses estimated at $4.4 million.

All technical claims and attributions in this section are directly supported by the cited primary sources, with a high level of confidence based on the consistency and detail of the evidence provided.

Affected Versions & Timeline

The phishing campaign targets all users of the LastPass password manager, regardless of version, as it exploits the emergency access (inheritance) feature through social engineering rather than a technical vulnerability. The campaign began in mid-October 2025, with public disclosures and technical analyses published on October 24, 2025. The attack infrastructure includes domains such as lastpassrecovery[.]com, mypasskey[.]info, and passkeysetup[.]com, which were active during this period. Previous related campaigns by CryptoChameleon targeted LastPass users in April 2024, and the group has a history of targeting cryptocurrency wallets and password managers.

The timeline of verified events is as follows: In mid-October 2025, the phishing campaign began targeting LastPass users with fake death/inheritance requests. On October 24, 2025, BleepingComputer and Offseq Radar published technical analyses and warnings. On October 23-24, 2025, Cyber News Live and other security news outlets amplified warnings and mitigation advice.

No technical vulnerability in any specific version of LastPass was exploited; the attack is effective against any user who can be reached via email or phone and who may be susceptible to social engineering.

Threat Activity

The threat activity is characterized by a coordinated phishing campaign attributed to CryptoChameleon (UNC5356), a financially motivated group specializing in cryptocurrency theft. The group employs a phishing kit capable of generating convincing fake sign-in pages for a variety of services, including password managers and cryptocurrency wallets. The campaign specifically targets users of the LastPass password manager by exploiting the emergency access (inheritance) feature through fraudulent death claims.

Attackers send emails that appear to originate from LastPass or a trusted entity, informing the recipient of a death certificate submission and an emergency access request. The email includes a fabricated agent ID and a link to a phishing site designed to harvest master passwords or passkeys. In some cases, attackers follow up with phone calls, impersonating LastPass staff to increase the likelihood of credential disclosure.

The campaign also targets passkeys, a passwordless authentication standard based on FIDO2/WebAuthn protocols, by using domains such as mypasskey[.]info and passkeysetup[.]com. This indicates an evolution in attacker tactics, as passkeys become more widely adopted and stored in password managers.

The primary goal of the campaign is to compromise password vaults, enabling attackers to access a wide range of credentials, including those for cryptocurrency wallets, enterprise systems, and personal accounts. The attack does not rely on any technical vulnerability in LastPass software; it is purely a social engineering attack.

The campaign is assessed as high severity due to the sensitive nature of the data at risk, the ease of exploitation, and the potential for widespread impact across multiple sectors. European organizations are particularly at risk due to high LastPass adoption and GDPR implications. Sectors most affected include finance and cryptocurrency, enterprise and corporate environments, and healthcare and government.

The threat is ongoing, and defenders are advised to prioritize detection of phishing attempts referencing LastPass death claims, reinforce secure password management practices, and implement robust user education and multi-factor authentication.

Mitigation & Workarounds

Mitigation of this threat requires a multi-layered approach, with priority given to user education and technical controls. The following recommendations are prioritized by severity:

Critical: Immediate user education and phishing awareness training are essential. All users of LastPass and similar password managers should be informed about the specific tactics used in this campaign, including fake death/inheritance requests and phone-based impersonation. Training should emphasize verification procedures for unexpected or alarming communications related to password management services.

Critical: Enforce multi-factor authentication (MFA) for all LastPass accounts and other critical systems. MFA significantly reduces the risk of unauthorized access, even if credentials are compromised through phishing.

High: Monitor for suspicious login patterns and new device access on password vaults. Unusual access attempts, especially from unfamiliar locations or devices, should trigger alerts and prompt further investigation.

High: Update incident response plans to address credential compromise scenarios involving password managers. Plans should include procedures for revoking access, resetting credentials, and notifying affected users.

Medium: Regular audits of password vault access and usage can help identify anomalies and potential breaches. Organizations should review access logs and investigate any unusual activity.

Medium: Configure email security solutions to detect and quarantine phishing attempts referencing LastPass or related death claims, using updated threat intelligence feeds.

Medium: Encourage users to verify suspicious messages through official LastPass channels or internal IT support before taking any action.

Low: Consider alternative or supplementary password management solutions with enhanced security features if organizational risk tolerance is low.

Low: Collaborate with cybersecurity information sharing groups to improve detection and response capabilities against similar phishing campaigns.

No technical patch or update to LastPass is required, as the attack does not exploit a software vulnerability. Defense relies on user vigilance, robust authentication, and proactive monitoring.

References

BleepingComputer, "Fake LastPass death claims used to breach password vaults," October 24, 2025 https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-used-to-breach-password-vaults/

Offseq Radar, "Fake LastPass death claims used to breach password vaults," October 24, 2025 https://radar.offseq.com/threat/fake-lastpass-death-claims-used-to-breach-password-22480ce0

Cyber News Live, LinkedIn post, October 23-24, 2025 https://www.linkedin.com/posts/cyber-news-live_fake-lastpass-death-claims-used-to-breach-activity-7387622593178152961-Dfak

MITRE ATT&CK Techniques: Phishing (T1566): https://attack.mitre.org/techniques/T1566/ Phishing for Information (T1598): https://attack.mitre.org/techniques/T1598/ Credential Access (TA0006): https://attack.mitre.org/tactics/TA0006/ Gather Victim Identity Information: Credentials (T1589.001): https://attack.mitre.org/techniques/T1589/001/

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor, assess, and respond to emerging threats in their digital supply chain. Our platform supports the identification of phishing campaigns, credential compromise risks, and social engineering threats by integrating threat intelligence, automated risk scoring, and incident response workflows. For questions or further information, please contact us at ops@rescana.com.