Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

PoisonSeed Campaign: Exploiting Business Email Accounts to Spread Fake Seed Phrases and Hijack Digital Wallets

Updated
3 min read
PoisonSeed Campaign: Exploiting Business Email Accounts to Spread Fake Seed Phrases and Hijack Digital Wallets
N
Nguyễn Văn Trung
Part of seriesNewsletters-eng

As the world of cryptocurrency continues to grow rapidly, threats are also becoming more sophisticated. Recently, a dangerous phishing campaign called PoisonSeed was warned about by experts from Silent Push. This campaign exploits stolen email accounts to spread fake "seed passwords," tricking users into giving access to their digital wallets.

Overview

What is PoisonSeed?

PoisonSeed is the name given to a sophisticated cyber attack campaign where hackers use stolen login information from email marketing and customer management platforms (CRM) like Mailchimp, SendGrid, Hubspot, Zoho, etc., to send large-scale spam emails.

These emails pretend to be security alerts from well-known cryptocurrency exchanges like Coinbase and Ledger, urging recipients to "switch to a new self-custody wallet," a popular trend recently. Included is a string of 12-24 characters that looks like a valid seed phrase.

Key point: The recipient is the one who enters the fake seed phrase into the new wallet, unknowingly giving full control to the attacker.

Sophisticated and Methodical Tactics

The PoisonSeed perpetrators don't just stop at sending emails. They also:

  • Fake login pages for Mailchimp, SendGrid to steal employee accounts at major companies.

  • Automatically download contact lists and create API keys to maintain long-term access.

  • Send fake emails with urgent content like "email sending restricted" to prompt victims to log into the fake page.

  • Embed fake seed phrases as part of the "security process" for new wallets, exploiting users' trust.

This campaign targets both individuals and businesses—even those not directly involved with cryptocurrency. Anyone whose email address ends up on the list can become a victim.

PoisonSeed is not just a simple phishing campaign—it clearly shows that in the digital world, we are not hacked, but rather hack ourselves when we let our guard down.

Although some domains used, like mailchimp-sso[.]com, are linked to groups such as Scattered Spider or CryptoChameleon, researchers believe PoisonSeed shows signs of operating independently, using its own phishing toolkit and having different targets.

In 2025, Scattered Spider attacked major brands like Nike, Twitter/X, Louis Vuitton, but did not target entities like Coinbase or digital wallets, which makes PoisonSeed a distinct entity in the cybercrime ecosystem "The Com".

Recommendations

FPT Threat Intelligence warns about the dangers of reusing accounts, lack of multi-factor authentication, and not being cautious with emails that seem legitimate:

  • Never enter a seed phrase sent via email, no matter how trustworthy it seems.

  • Only create a new wallet from the official app or website.

  • Always enable two-factor authentication (2FA) for email and important accounts.

  • Carefully check the URL before logging into any platform.

IOCs

Phishing Domain :

active-mailgun[.]com

barefoots-api[.]com

cloudflare-sendgrid[.]com

complete-sendgrid[.]com

connect1-coinbase[.]com

connect5-coinbase[.]com

firmware-llive[.]com

firmware-server12[.]com

hubservices-crm[.]com

inquiry-loginp[.]com

iosjdfsmdkf[.]com

live-sso[.]com

mail-chimpservices[.]com

mailchimp-sso[.]com

mailchimp-ssologin[.]com

myaccount-hbspot[.]com

mysite-clflre[.]com

mysrver-chbackend[.]com

myw-cbw[.]com

mywallet-cbsmartw[.]com

mywallet-cbsmw[.]com

mywallet-cbupgrade[.]com

nikafk244[.]com

password-proxy-redirect[.]com

redirect-sso[.]com

response-crmsg[.]com

response-loginportal[.]com

response16-sendgrid[.]com

response20-sendgrid[.]com

responseinquiry-tos[.]com

responsesendgrid[.]com

review-termsconditions[.]com

revokecblink[.]com

rseponse-manageprod[.]com

rseponse25-sendgrid[.]com

rseponsequery[.]com

server12-mchimp[.]com

server9-hubspot[.]com

server9-mailgun[.]com

server9-sendgrid[.]net

sso-account[.]com

sso-signon[.]com

support-zoho[.]com

swallet-coinbase[.]com

References

PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks

PoisonSeed uses CRM Accounts for Cryptocurrency ‘Seed Phrase Poisoning’ Attacks!

#threat-intelligence

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.