PoisonSeed is a deceptive campaign that uses compromised credentials from customer relationship management (CRM) tools and bulk email providers. The attackers behind this malware campaign exploit these access points to send spam messages containing cryptocurrency seed phrases, ultimately aiming to empty victims’ digital wallets.
Recent investigations reveal that the attackers target both enterprise organisations and individuals outside the immediate cryptocurrency sector. To spread emails containing malicious crypto seed phrases, attackers compromise email accounts from companies like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.
According to an analysis by Silent Push:
Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack. As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising.
Notably, prominent companies like Coinbase and Ledger have been among the preferred targets. This campaign operates by leveraging trusted email infrastructure, making spam messages appear authentic and hence more likely to trick recipients.
Researchers have linked the cyber campaign to several recent security breaches. Specifically, in mid-March 2025, attackers accessed an Akamai SendGrid account. Furthermore, last month, they compromised Troy Hunt’s Mailchimp account.
The PoisonSeed Attack Chain: From CRM Infiltration to Crypto Seed Exploitation
The SendGrid incident involved phishing emails impersonating Coinbase and containing fake seed phrase requests, all sent by attackers using the compromised account.
The PoisonSeed campaign resembles the tactics of threat actors such as CryptoChameleon and Scattered Spider. However, Silent Push has classified it as a separate operation due to noticeable differences in code and other distinguishing characteristics.
Threat actors first gain unauthorised access to bulk email services like Mailchimp and SendGrid, which initiates the attack chain. They then launch secondary phishing attacks targeting cryptocurrency holders using these platforms.
The first step involves identifying high-value targets who have access to CRM systems and bulk email platforms. This is accomplished by identifying employees in significant roles and finding which email organisations use technologies for their marketing or newsletters.
The threat actors then send expertly written phishing emails from fake addresses. These emails direct the recipients to fake login pages hosted on strategically selected domains that look authentic. One campaign, for example used names like mailchimpservices[.]com, mailchimp-sso[.]com, and mailchimp-ssologin[.]com to target Mailchimp customers.
The threat actors create lookalike phishing pages for popular CRM and bulk email companies. Their goal is to trick high-value targets into revealing their credentials. Once they have these credentials, the attackers create an API key. This step ensures that the original password is retained even if it is later reset.
The hackers then send phishing emails with crypto-related subjects to mailing lists extracted from the compromised account. These emails include alarming statements such as “Coinbase is transitioning to self-custodial wallets.”
The phishing email instructs the recipient to use a Coinbase wallet seed phrase by entering it into a new crypto wallet as part of an alleged upgrade or migration process. Following these instructions effectively “poisons” the wallet, granting attackers full access to the funds.
Victims are provided with a 12-word seed phrase and directed to import it into their wallet. However, doing so gives the attackers complete control, enabling them to empty the wallet.
Coinbase offers customers with a safe seed phrase that is pre-generated when they create a new wallet. However, in this scam, the victim is given a seed phrase that is connected to a wallet that the attacker already controls. As a result, transferring crypto into that wallet means handing over all digital assets, which the attacker can then promptly withdraw.
The PoisonSeed campaign marks a concerning development in phishing tactics. It skilfully blends supply chain compromises with cryptocurrency-targeted scams. Although its association with CryptoChameleon remains unproven, the campaign’s unique methods suggest it is an independent threat actor.
Recommendations
Organisations must remain alert to advanced threats that exploit trusted CRM platforms for malicious purposes. Avoid clicking on any hyperlinks when receiving urgent email requests. Instead, log in to the relevant platform directly to check for alerts. Additionally, individuals should be cautious of similar forms of contact and avoid responding to unsolicited investment proposals or requests to access their cryptocurrency wallets.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your
