A sophisticated phishing campaign, dubbed “PoisonSeed,” has been identified targeting customer relationship management (CRM) and bulk email providers to facilitate cryptocurrency-related scams. The threat actors behind this campaign are leveraging compromised credentials to export email lists and send bulk phishing emails, aiming to compromise cryptocurrency wallets through a novel seed phrase poisoning technique.
PoisonSeed’s operations involve setting up phishing pages that closely mimic login portals of prominent CRM and bulk email platforms, including Mailchimp, SendGrid, HubSpot, and Zoho. These fake login pages are used to steal credentials from targeted users. Once access is gained, the attackers automate the export of email lists and maintain persistence by creating new API keys, even if passwords are reset. The compromised accounts are then used to send phishing emails at scale. One notable incident involved the compromise of Akamai’s SendGrid account in March 2025.
Attackers sent phishing emails masquerading as Coinbase communications, urging recipients to migrate to self-custodial wallets. Victims were provided with fraudulent seed phrases intended for use in wallet creation. By later recovering these wallets using the same seed phrases, attackers could access and steal funds.
The core of PoisonSeed’s strategy lies in its seed phrase poisoning attack. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets. This allows the attackers to monitor and eventually take control of these wallets once funds are deposited. This method represents a shift from traditional phishing tactics, as it delays the theft until victims unknowingly use the compromised seed phrases.
The PoisonSeed campaign shares certain infrastructural similarities with CryptoChameleon, a threat group known for targeting high-net-worth cryptocurrency holders through spear-phishing and SIM-swapping attacks. Both groups have targeted platforms like Coinbase and Ledger in the past. However, PoisonSeed’s tactics such as targeting CRM platforms and delaying cash-out efforts differ significantly from CryptoChameleon’s rapid exploitation methods.
While some researchers have attempted to link PoisonSeed to Scattered Spider, another threat group associated with The Comm (a community of Western cybercriminals), Silent Push analysts argue against this attribution. Scattered Spider primarily focuses on large-scale ransomware attacks against corporate targets and has not been observed engaging in cryptocurrency wallet phishing. Silent Push researchers have identified over 49 domains linked to PoisonSeed through WHOIS analysis and phishing kit fingerprints.
To mitigate risks posed by PoisonSeed, organizations are advised to monitor indicators of compromise (IOCs) related to these domains and implement robust email security measures. Silent Push offers enterprise-level feeds for tracking PoisonSeed-related domains and IPs to enhance detection capabilities. The PoisonSeed campaign highlights an alarming evolution in phishing tactics, blending supply chain compromises with cryptocurrency-targeted schemes.
While its ties to CryptoChameleon remain speculative, its distinct methodologies warrant classification as an independent threat actor group. Organizations must remain vigilant against such advanced threats that exploit trust in widely used CRM platforms for malicious purposes.
The evolving nature of cyber threats underscores the importance of maintaining strong security measures and staying informed about current tactics used by threat actors. By remaining vigilant and actively monitoring for indicators of compromise, organizations can better protect themselves against sophisticated campaigns like PoisonSeed. Stay updated with the latest cybersecurity news to stay ahead of emerging threats and safeguard your digital assets.