LastPass ‘Death Hoax’ Phishing Targets Crypto: New CryptoChameleon Scam
A large-scale phishing campaign targeting LastPass users and clients of major cryptocurrency exchanges began in mid-October, spreading under the guise of official service notifications. LastPass has warned that the attack is orchestrated by the group CryptoChameleon (UNC5356), notorious for cryptocurrency thefts through social engineering and fake account recovery sites.
The fraudulent emails are sent from a spoofed address, “alerts@lastpass[.]com,” with the subject line: “Legacy Request Opened (URGENT IF YOU ARE NOT DECEASED).” Recipients are told that a supposed family member has filed a request to access their password vault, accompanied by a forged death certificate. The email includes a fabricated case number, a listed “agent,” and a processing priority — all crafted to mimic an authentic notification. Victims are urged to “cancel the request” via a personalized link directing them to the counterfeit site https://lastpassrecovery[.]com, where they are prompted to enter their master password. The message attempts to reinforce credibility by insisting it originated from LastPass’s legitimate domain and concludes with reassuring statements such as “Your security is our top priority” and “Never share your password.”
Beyond the email campaign, the attackers have introduced direct human interaction: victims receive phone calls from individuals impersonating LastPass representatives, who pressure them to follow the malicious link. This layer of real-time psychological manipulation makes the operation particularly convincing and significantly boosts its success rate.
According to Google Threat Intelligence, the campaign’s infrastructure is tied to the NICENIC hosting provider, previously used to conceal other CryptoChameleon phishing operations. The same servers host fake login pages impersonating major cryptocurrency platforms and services, including Coinbase, Binance, Gemini, and even Gmail. In effect, the perpetrators have built an entire ecosystem of fraudulent sites designed to harvest user credentials, authentication tokens, and recovery data linked to crypto accounts and password managers.
Researchers have also highlighted that part of the infrastructure is aimed at stealing passkey credentials — a new form of passwordless authentication. Numerous related domains, such as “mypasskey[.]info,” suggest that cybercriminals are increasingly focusing on exploiting the growing adoption of passkey technology.
LastPass has confirmed that it has taken steps to block the primary phishing domains and continues to monitor the attackers’ infrastructure. The company urges users to disregard suspicious emails, messages, and calls, to avoid clicking on embedded links, and never to enter their master password outside the official domain. Any suspicious contact can be reported to abuse@lastpass.com.
The CryptoChameleon campaign exemplifies how modern threat actors are refining their tactics — blending visual deception, psychological pressure, and multi-channel engagement, from email to phone calls — to undermine user vigilance and seize control of digital assets.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
