Vaultjacking Phishing Attack: How Hackers Steal Google Password Manager Vaults

For years, the cybersecurity industry has championed passkeys as the ultimate silver bullet to kill phishing. Cryptographically bound to specific website origins, passkeys theoretically represent an unphishable credential. However, a groundbreaking discovery by security researchers has shattered this security assumption. The newly documented Vaultjacking phishing technique, uncovered by researchers at the cybersecurity firm PhishU, has demonstrated how attackers can bypass origin-bound passkey protections entirely to empty a user’s entire Google Password Manager (GPM) vault in a single strike. By targeting the underlying cloud synchronization layer rather than individual login portals, this exploit represents a paradigm shift in modern credential theft.

The Achilles’ Heel of Centralized Credential Sync

To understand the mechanics of this threat, one must first appreciate the inherent tension between convenience and absolute security in modern credential management. Google Password Manager is built to be seamless. When a user saves a password or registers a passkey on their Android phone or Chromebook, they expect that credential to be instantly available on their Windows laptop running Chrome. To achieve this cross-device synchronization without compromising privacy, Google employs end-to-end encryption. The synced vault is encrypted in the cloud and can only be decrypted by devices that belong to the user’s “Security Domain.”

The core architectural vulnerability that enables the Vaultjacking phishing attack lies in Google’s lost-device recovery mechanism. If a user loses all their trusted devices, Google allows them to re-establish access to their encrypted security domain using a 6-digit Google Password Manager PIN. Rather than requiring physical, out-of-band hardware validation or a multi-party push approval from another active device, Google relies on this short numerical PIN to unlock the cryptographic keys stored in the cloud. This design decision, while highly user-friendly, creates a critical single point of failure that sophisticated threat actors are now actively exploiting.

Anatomy of the Vaultjacking Phishing Attack Chain

A Vaultjacking attack is a highly coordinated, multi-stage operation that combines social engineering, Adversary-in-the-Middle (AiTM) infrastructure, and advanced endpoint emulation. The attack sequence operates as follows:

1. Adversary-in-the-Middle (AiTM) Interception

The compromise begins when a victim is lured to a sophisticated phishing landing page. Utilizing modern AiTM frameworks (such as PhishU or Evilginx), the attacker acts as a proxy between the victim and the legitimate Google authentication servers. As the victim enters their primary Google credentials and completes any required multi-factor authentication (MFA) prompts, the proxy captures the active session cookies. At this point, the attacker has gained temporary access to the victim’s Google account session.

2. The Spoofed Google Password Manager Prompt

Once the session is intercepted, the attacker’s proxy does not immediately redirect the user to their inbox. Instead, the proxy injects a perfectly styled, highly convincing modal window into the user’s browser. This modal mimics Google’s native system prompt, claiming that the user must verify their identity by entering their 6-digit Google Password Manager PIN to restore sync settings or access their saved data. Because the prompt appears within the context of what looks like a legitimate Google session, even highly trained users struggle to identify the deception.

3. Retrieving the Security Domain Secret

The moment the victim types their 6-digit PIN, the attacker’s infrastructure forwards it directly to Google’s authentic Security Token Service (STS) along with the hijacked session cookies. Because the session is active and the PIN is correct, Google’s backend assumes a legitimate recovery process is occurring. In response, the Security Token Service releases the “Security Domain Secret” (also referred to as the Security Level Secret). This secret is the master cryptographic key required to decrypt the end-to-end encrypted synced vault in the cloud.

4. Automated Attacker Device Provisioning

With the Security Domain Secret in hand, the attacker’s automated background worker immediately takes action. The attacker’s server uses the captured secret to silently register a new, attacker-controlled passkey directly onto the victim’s Google account. This is the pivotal moment of the attack: by registering their own credential, the threat actor establishes a permanent, cryptographically signed foothold in the user’s Google account security domain.

5. Cloning and Decrypting the Vault via Virtual TPM

To finalize the theft, the attacker utilizes a containerized virtual machine (typically running Windows) equipped with a virtualized Trusted Platform Module (vTPM). By presenting the newly registered passkey and the captured Security Domain Secret, the virtualized environment successfully joins the victim’s Google security domain as a trusted device. The attacker’s infrastructure then silently clones the entire synced credential vault, decrypting every single stored password, passkey, and credit card number in a matter of seconds.

Why Vaultjacking Bypasses Next-Gen Defenses

What makes the Vaultjacking phishing technique exceptionally dangerous is its ability to render modern and upcoming security protocols completely ineffective. Security professionals must understand the unique characteristics that distinguish this threat from traditional phishing attacks:

• No Malware Required: Unlike traditional info-stealers (such as RedLine or Lumma) that require a victim to download and execute a malicious payload, Vaultjacking is entirely browser-based. It requires zero pre-existing foothold or administrative privileges on the victim’s local machine.
• Defeating Device Bound Session Credentials (DBSC): Google has been actively developing DBSC, a protocol designed to cryptographically bind session cookies to a specific device’s hardware TPM, making cookie theft useless. However, because Vaultjacking registers a new trusted device and passkey into the security domain using the hijacked PIN, the attacker establishes their own independent cryptographic root of trust. DBSC is bypassed because the attacker no longer relies on the victim’s stolen session cookie to maintain access.
• Permanent, Long-Term Persistence: Once the attacker’s virtual device is joined to the security domain, their access survives standard remediation steps. Even if the victim resets their primary Google password, clears all active web sessions, or revokes active browser cookies, the attacker’s registered passkey remains active within the security domain, allowing them to continue silently pulling updated vault data.

The Mass Exposure of the Synced “Blast Radius”

The implications of a successful Vaultjacking attack are catastrophic for both individuals and enterprises. Historically, a phishing attack on a Google account exposed emails, drive documents, and cloud files. While severe, the damage was largely contained to Google’s ecosystem.

With Vaultjacking, the blast radius is absolute. Because Google Password Manager is natively integrated into the Chrome browser and Android operating system, users frequently use it to store high-value credentials for third-party services. A single phished 6-digit PIN grants the attacker immediate access to:

1. Corporate Single Sign-On (SSO) Portals: Bypassing enterprise security boundaries to access internal tools, source code repositories, and proprietary databases.
2. Financial and Banking Institutions: Gaining access to personal bank accounts, cryptocurrency wallets, and payment gateways.
3. Social Media and Communication Channels: Hijacking identities for secondary social engineering or corporate espionage.
4. Third-Party Passkeys: While individual third-party passkeys are origin-bound and cannot be phished individually, the synchronization layer stores them in an encrypted state. By cloning the entire synchronized vault, the attacker gains the private cryptographic keys for every synced passkey stored in the vault.

Mitigation Strategies and Defensive Best Practices

Defending against the Vaultjacking phishing threat requires a fundamental shift in how organizations and individuals handle credential synchronization. Standard employee security awareness training is no longer sufficient; technical guardrails must be enforced to protect high-value targets.

Enforce Hardware-Based Security Keys

The most effective defense against Vaultjacking is preventing the initial AiTM session hijack. Organizations should mandate the use of physical, hardware-based FIDO2 security keys (such as YubiKeys) for all employee Google accounts. Unlike software-based multi-factor authentication, physical security keys enforce strict origin-binding during the initial login phase. Because a hardware key will refuse to authenticate on a spoofed or proxied domain, the attacker cannot capture the active session cookies required to initiate the Vaultjacking attack chain.

Isolate and Audit Google Security Domains

IT administrators must monitor Google Workspace logs for anomalous device registrations and security domain modifications. The following behaviors should trigger immediate, high-priority security alerts:

• The registration of a new recovery device or passkey from an unrecognized IP address or geographic location.
• The access of Google Password Manager settings immediately following a login from a new browser session.
• A sudden surge in credential synchronization requests from containerized or virtualized operating systems.

Transition to Enterprise-Grade, Non-Synced Vaults

For enterprise environments, relying on browser-based, consumer-centric password managers introduces unacceptable risks. Security leaders should transition employees to dedicated enterprise password managers that enforce strict access controls. These platforms should disallow recovery via simple numerical PINs, instead requiring multi-user recovery keys, out-of-band approvals, or integration with centralized identity providers that utilize robust conditional access policies.

Conclusion: The Evolution of the Phishing Arms Race

The emergence of the Vaultjacking phishing technique serves as a stark reminder that security is only as strong as its weakest link. As defenders implement increasingly robust origin-bound authentication mechanisms like passkeys, adversaries will naturally pivot to target the trust boundaries of the recovery and synchronization layers. To secure the digital landscape of tomorrow, technology providers must design synchronization protocols that prioritize cryptographically verified out-of-band approvals over simple, phishable numerical PINs. Until then, vigilant monitoring and hardware-enforced FIDO2 security keys remain the industry’s strongest shield against this devastating new threat vector.