Phishers Exploit LastPass Emergency Feature with Fake Death Certificates

LastPass has issued an urgent warning about a sophisticated phishing campaign that began mid-October 2025, in which attackers send fraudulent emergency access requests claiming the account holder has died.

Security researchers attribute the campaign to CryptoChameleon (also tracked as UNC5356), a financially motivated threat group specializing in cryptocurrency theft. The group previously targeted LastPass users in April 2024, but this latest operation represents a significant escalation in both scale and technical sophistication—attackers are now pursuing not only master passwords but also the newer passkey authentication credentials.

How the Attack Works

The scammers exploit LastPass's emergency access feature, a legitimate inheritance mechanism that allows designated trusted contacts to request vault access if the account owner becomes incapacitated or dies. When such a request is made, the account owner receives a notification and has a limited time window to cancel it. If no action is taken, access is automatically granted.

In the phishing emails, attackers claim a family member has requested emergency access by submitting a death certificate. The messages include fabricated request IDs to enhance credibility and urge recipients to immediately cancel the request—if they're still alive—by clicking a provided link.

These links direct victims to the fraudulent domain lastpassrecovery[.]com, where they're prompted to enter their master password. In some cases, attackers have escalated their tactics by calling victims directly, impersonating LastPass employees to pressure them into surrendering credentials on the phishing site.

Targeting the Future of Authentication

A distinguishing feature of this campaign is its focus on stealing passkeys—a modern passwordless authentication standard built on FIDO2/WebAuthn protocols. Unlike traditional passwords, passkeys use asymmetric cryptography for enhanced security. Major password managers including LastPass, 1Password, Dashlane, and Bitwarden now support passkey storage and synchronization across devices.

To harvest these credentials, CryptoChameleon has deployed specialized phishing domains such as mypasskey[.]info and passkeysetup[.]com, demonstrating how quickly threat actors adapt to emerging security technologies.

The group's toolkit also includes phishing pages mimicking Okta, Gmail, iCloud, and Outlook, as well as fake login portals for cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini.

Staying Protected

LastPass urges users to scrutinize any emails related to inheritance or emergency access requests. The company emphasizes that legitimate LastPass representatives will never call users requesting they enter passwords on any website. Users should always verify URLs carefully before entering credentials and remain suspicious of unsolicited emergency access notifications—particularly those accompanied by urgent demands for immediate action.