A sophisticated cyber campaign, identified as PoisonSeed, is actively exploiting compromised credentials from customer relationship management (CRM) platforms and bulk email services to disseminate spam emails embedded with fraudulent cryptocurrency seed phrases. The primary objective of this campaign is to deceive recipients into importing these seed phrases into new cryptocurrency wallets, thereby granting attackers unauthorized access to victims’ digital assets.
According to cybersecurity firm Silent Push, the attackers are targeting both enterprises and individual users beyond the cryptocurrency sector. Notably, prominent crypto companies such as Coinbase and Ledger, along with bulk email service providers like Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, have been identified as primary targets.
The modus operandi of PoisonSeed involves creating counterfeit phishing pages that closely mimic the login interfaces of well-known CRM and bulk email service providers. Unsuspecting users are lured into these deceptive sites, where they inadvertently disclose their login credentials. Once the attackers obtain these credentials, they generate API keys to maintain persistent access, even if the legitimate account owner resets their password.
Subsequently, the attackers export mailing lists from the compromised accounts, likely utilizing automated tools, and dispatch spam emails to the contacts. These emails typically instruct recipients to establish a new Coinbase Wallet using the provided seed phrase embedded within the message. By importing this seed phrase, victims unknowingly grant the attackers control over their wallets, facilitating unauthorized fund transfers.
While there are overlaps in tactics with other threat actors such as Scattered Spider and CryptoChameleon—both associated with the broader cybercrime network known as The Com—distinct differences suggest that PoisonSeed may operate independently. For instance, the phishing kit employed by PoisonSeed differs from those used by the aforementioned groups, indicating the possibility of a new or separate threat actor employing similar methodologies.
This development underscores the evolving nature of cyber threats targeting the cryptocurrency ecosystem. Users are advised to exercise heightened vigilance, especially when receiving unsolicited emails related to cryptocurrency accounts. It is crucial to verify the authenticity of such communications and refrain from importing seed phrases or clicking on links from unverified sources.
