Hackers are targeting LastPass users with fake inheritance requests claiming a family member has uploaded a death certificate to access their vault. The phishing campaign, discovered in mid-October 2025, is linked to the financially motivated threat group CryptoChameleon.
Phishing campaign exploits LastPass inheritance feature
The attackers send emails that mimic LastPass’s legitimate inheritance process—a feature allowing trusted contacts to request access to a user’s vault in case of death or incapacity. Victims receive messages urging them to “cancel” the access request by clicking a link if they are still alive.
The link leads to a fake website, lastpassrecovery[.]com, which copies the official login page. When users enter their credentials, attackers capture their master passwords and gain full access to their vaults.
Threat actors also targeting passkeys
According to LastPass, CryptoChameleon is now expanding its tactics to steal passkeys—a newer passwordless authentication method used by modern password managers. The attackers have registered several domains, such as mypasskey[.]info and passkeysetup[.]com, to trick users into entering their credentials.
Some victims even received phone calls from scammers impersonating LastPass staff, instructing them to verify their accounts on the fraudulent site.
Connection to previous attacks
CryptoChameleon has a long history of phishing campaigns targeting password managers and crypto wallets, including Binance, Coinbase, Kraken, and Gemini. The same group previously attacked LastPass users in 2024, but the new campaign is more advanced and widespread.
LastPass also suffered a major breach in 2022 when attackers stole encrypted vault backups, leading to secondary attacks and roughly $4.4 million in stolen cryptocurrency.
How users can stay safe
LastPass urges users to ignore any unexpected inheritance or access request emails. The company advises checking all notifications directly in the app instead of clicking embedded links. Users should also enable multifactor authentication and avoid reusing passwords across accounts.
Conclusion
The fake LastPass death claims campaign shows how social engineering remains a powerful weapon for cybercriminals. By blending emotional manipulation with legitimate features like inheritance access, attackers can deceive even cautious users. As password managers evolve to support passkeys, new phishing tactics will continue to emerge—making vigilance essential for all users.
0 responses to “Fake LastPass death claims used to steal password vaults”