Pierluigi Paganini
April 07, 2025
Silent Push researchers warn of a malicious PoisonSeed campaign that uses stolen CRM and bulk email provider credentials to send crypto seed phrase spam. Victims are tricked into importing compromised seed phrases into wallets, allowing attackers to drain funds. The scheme mimics security steps to mislead users into self-compromising.
“PoisonSeed threat actors are targeting enterprise organizations and individuals outside the cryptocurrency industry. They have been phishing CRM and bulk email providers’ credentials to export email lists and send bulk spam from the accounts. Email providers appear to be targeted mainly to provide infrastructure for cryptocurrency spam operations.” reads the report published by Silent Push. “Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack. As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising.”
The PoisonSeed campaign targets both crypto and non-crypto entities, exploiting compromised CRM and bulk email accounts. Threat actors targeted crypto companies including Coinbase and Ledger, and CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho.
Though distinct from groups like Scattered Spider and CryptoChameleon, the attack reflects growing threats in the broader The Com cybercrime ecosystem.
PoisonSeed threat actors created convincing phishing pages for CRM and email platforms like Mailchimp and SendGrid. They used targeted phishing emails, such as a “Sending Privileges Restricted” lure, to steal credentials and automate downloads of contact lists. They also created API keys to retain access. These actions enabled them to send bulk spam and expand their campaign.
PoisonSeed attackers automate list exports and send spam urging victims to create crypto wallets using fake seed phrases. These are later used to steal funds. Though tactics resemble known groups, PoisonSeed uses a distinct phishing kit, suggesting a new or unaffiliated actor.
“Some of the post-CRM-compromise supply chain spam phishing attempts used a complex cryptocurrency seed phrase poisoning effort with an urgent notice claiming “Coinbase is transitioning to self-custodial wallets.”” continues the report. “The prompt told the targeted victim that they needed to set up a new Coinbase Wallet. The threat actor then introduced the phishing aspect by providing seed phrases, hoping the victim would manually enter them into the account creation flow so the threat actor could use the specific phrases to later “recover” the account and transfer away stolen funds.””
Domains like mailchimp-sso[.]com link the campaign to Scattered Spider and CryptoChameleon, but attribution remains uncertain.
“Our team believes the new campaign we’re classifying as PoisonSeed is not likely to be Scattered Spider because we’ve seen Scattered Spider continue to conduct attacks in 2025 in ways strikingly similar to its legacy attacks. In 2025, Scattered Spider has targeted brands including: Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, and Vodafone.” concludes the report.
“None of the 2025 brands targeted by Scattered Spider align with PoisonSeed’s efforts.“
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
