24.10.2025
2 min
504
Password manager LastPass is warning of a new wave of phishing attacks, in which scammers are sending emails purporting to “request access” to passwords due to the owner’s death. The attackers pose as company representatives and force users to enter their master passwords on fake pages. The campaign began in mid-October and is linked to the notorious CryptoChameleon (UNC5356) phishing group, which specializes in stealing cryptocurrencies.
Using fake domains, the attackers send users emails with the subject line:
> “Your relative has requested inherited access to your LastPass vault.”
The message contains a fake agent ID and a link to “cancel the request.” After clicking through, the victim is taken to the lastpassrecovery[.]com website, where they are asked to enter their master password.
According to LastPass, in some cases, the hackers have even called customers pretending to be support staff. The new campaign also features passkey-focused domain names (e.g. *mypasskey[.]info*, *passkeysetup[.]com*), suggesting an attempt to steal the new passwordless FIDO2/WebAuthn credentials.
CryptoChameleon previously targeted LastPass users in 2024, but this time the operation was larger and more technologically sophisticated, targeting not only passwords but also passkeys.
LastPass’ “inheritance” feature is a legitimate option that allows you to transfer your password content to a trusted person after the owner’s death. The attackers used this idea to give the emails an official look.
This is not the first time LastPass has been targeted — in 2022, the company suffered a massive hack that stole encrypted backups of Volts. At the time, user losses were estimated at over $4.4 million in cryptocurrency.
CryptoChameleon, in addition to LastPass, is also targeting users of Binance, Coinbase, Kraken, and Gemini, creating realistic copies of Okta, Gmail, iCloud, and Outlook pages — all with the aim of luring in credentials. This attack shows how personalized phishing has become — hackers are simulating inheritance procedures, calling users, and even disguising sites as two-factor authentication systems. LastPass advises never to click on links in emails regarding “Vault access,” and to always manually verify the site address via the official portal. Overall, this campaign is another reminder: even those who use password managers are not immune to social engineering.
