A sophisticated cybercrime campaign named PoisonSeed has emerged, targeting cryptocurrency users through compromised customer relationship management (CRM) systems and email service providers.
The attackers gain access to CRM accounts by creating convincing phishing pages that mimic legitimate services like Mailchimp, SendGrid, Hubspot, and others. After obtaining login credentials, they generate API keys to maintain persistent access even if passwords are changed.
Using the compromised accounts, PoisonSeed sends mass spam emails containing cryptocurrency seed phrases - the recovery keys used to access digital wallets. The messages attempt to convince recipients to set up new Coinbase Wallets using the provided seed phrases. This allows attackers to later access and drain those wallets, as they already know the recovery keys.
The campaign targets both enterprise organizations and individuals outside the cryptocurrency sector. Major platforms like Coinbase and Ledger are among the services being impersonated in these attacks.
While PoisonSeed shares some tactics with known threat groups Scattered Spider and CryptoChameleon, analysis suggests it may be a distinct operation using different phishing tools and techniques.
Security researchers recommend users exercise extreme caution with unsolicited cryptocurrency-related emails and never use seed phrases provided by unknown sources. Organizations should also strengthen access controls for their CRM and email marketing systems to prevent compromise.
The emergence of PoisonSeed highlights the growing sophistication of cryptocurrency-focused cybercrime and the ongoing need for vigilance when handling digital assets.