PoisonSeed phishing campaign targets crypto users with fake emails, drains wallets

PoisonSeed phishing campaign targets crypto users with fake emails, drains wallets

A large-scale phishing campaign, dubbed PoisonSeed, has been compromising corporate email marketing accounts to distribute emails that contain crypto wallet seed phrases used to drain cryptocurrency funds.

According to cybersecurity researchers at SilentPush, the campaign targets popular cryptocurrency platforms like Coinbase and Ledger, using compromised accounts at major email marketing services such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. The attackers exploit the legitimate platforms to send phishing emails to unsuspecting users, urging them to take actions that ultimately result in the theft of their digital assets.

The PoisonSeed campaign is linked to earlier incidents, including the recent compromise of security expert Troy Hunt's Mailchimp account and the hack of an Akamai SendGrid account. Researchers note that, while PoisonSeed shares similarities with operations by threat groups like CryptoChameleon and Scattered Spider, it is classified as a separate campaign due to unique code and attack strategies.

The attack begins with the identification of high-value targets with access to customer relationship management (CRM) platforms or bulk email accounts. The victims are then targeted with phishing emails that appear to come from legitimate sources. The attackers use spoofed email addresses and carefully crafted fake login pages, hosted on domains like mail-chimpservices[.]com and mailchimp-ssologin[.]com, to steal login credentials.

Once attackers gain access to the target accounts, they export mailing lists and generate new API keys to maintain access, even if the victim changes their password. They then use the compromised accounts to send crypto-themed phishing spam to the mailing lists. The emails often include misleading alerts, such as “Coinbase is transitioning to self-custodial wallets,” prompting recipients to enter their Coinbase wallet seed phrases into a fake crypto wallet as part of an alleged upgrade.

Victims who follow the instructions unknowingly hand over access to their funds, as the seed phrase they enter is not from Coinbase, but from a wallet controlled by the attackers. The attackers can then drain the wallet of all assets, transferring the stolen cryptocurrency to their own accounts.

Back to the list

Latest Posts

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Global network of DDoS-for-hire services dismantled in international police op

Global network of DDoS-for-hire services dismantled in international police op

The suspects are believed to have administered six now-defunct websites, which operated as stresser or booter services.
7 May 2025