# PoisonSeed Campaign: Exploiting Business Email Accounts to Spread Fake Seed Phrases and Hijack Digital Wallets

As the world of cryptocurrency continues to grow rapidly, threats are also becoming more sophisticated. Recently, a dangerous phishing campaign called **PoisonSeed** was warned about by experts from Silent Push. This campaign exploits stolen email accounts to spread fake **"seed passwords,"** tricking users into giving access to their digital wallets.

---

# Overview

## **What is PoisonSeed?**

PoisonSeed is the name given to a sophisticated cyber attack campaign where ha[ck](https://hashnode.com/@trungnv59)ers use stolen login information from email marketing and customer management platforms (CRM) like **Mailchimp, SendGrid, Hubspot, Zoho**, etc., to send large-scale spam emails.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744598823951/6b1cc642-5e5e-4fd2-9b57-4c89f139f35f.png?auto=compress,format&format=webp align="left")

These emails pretend to be security alerts from well-known cryptocurrency exchanges like **Coinbase** and **Ledger**, urging recipients to "switch to a new self-custody wallet," a popular trend recently. Included is a string of **12-24 characters** that looks like a valid seed phrase.

Key point: **The recipient is the one who enters the fake seed phrase into the new wallet, unknowingly giving full control to the attacker.**

---

## **Sophisticated and Methodical Tactics**

The PoisonSeed perpetrators don't just stop at sending emails. They also:

* **Fake login pages** for Mailchimp, SendGrid to steal employee accounts at major companies.
    
* **Automatically download contact lists** and create API keys to maintain long-term access.
    
* **Send fake emails with urgent content** like "email sending restricted" to prompt victims to log into the fake page.
    
* **Embed fake seed phrases** as part of the "security process" for new wallets, exploiting users' trust.
    

This campaign targets both individuals and businesses—**even those not directly involved with cryptocurrency**. Anyone whose email address ends up on the list can become a victim.

PoisonSeed is not just a simple phishing campaign—it clearly shows that in the digital world, **we are not hacked, but rather hack ourselves when we let our guard down.**

---

## **Related to Famous Attack Groups?**

Although some domains used, like `mailchimp-sso[.]com`, are linked to groups such as **Scattered Spider** or **CryptoChameleon**, researchers believe PoisonSeed shows signs of operating independently, using its own phishing toolkit and having different targets.

In 2025, Scattered Spider attacked major brands like **Nike, Twitter/X, Louis Vuitton**, but did not target entities like Coinbase or digital wallets, which makes PoisonSeed a distinct entity in the cybercrime ecosystem "The Com".

---

# **Recommendations**

***FPT Threat Intelligence*** warns about the dangers of **reusing accounts**, **lack of multi-factor authentication**, and **not being cautious with emails that seem legitimate**:

* **Never enter a seed phrase sent via email, no matter how trustworthy it seems.**
    
* **Only create a new wallet from the official app or website.**
    
* **Always enable two-factor authentication (2FA) for email and important accounts.**
    
* **Carefully check the URL before logging into any platform.**
    

---

# IOCs

***Phishing Domain :***

<table><tbody><tr><td colspan="1" rowspan="1"><p><strong>active-mailgun[.]com</strong></p></td></tr><tr><td colspan="1" rowspan="1"><p>barefoots-api[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>cloudflare-sendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>complete-sendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>connect1-coinbase[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>connect5-coinbase[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>firmware-llive[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>firmware-server12[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>hubservices-crm[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>inquiry-loginp[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>iosjdfsmdkf[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>live-sso[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mail-chimpservices[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mailchimp-sso[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mailchimp-ssologin[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>myaccount-hbspot[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mysite-clflre[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mysrver-chbackend[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>myw-cbw[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mywallet-cbsmartw[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mywallet-cbsmw[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>mywallet-cbupgrade[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>nikafk244[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>password-proxy-redirect[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>redirect-sso[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>response-crmsg[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>response-loginportal[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>response16-sendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>response20-sendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>responseinquiry-tos[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>responsesendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>review-termsconditions[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>revokecblink[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>rseponse-manageprod[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>rseponse25-sendgrid[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>rseponsequery[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>server12-mchimp[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>server9-hubspot[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>server9-mailgun[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>server9-sendgrid[.]net</p></td></tr><tr><td colspan="1" rowspan="1"><p>sso-account[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>sso-signon[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>support-zoho[.]com</p></td></tr><tr><td colspan="1" rowspan="1"><p>swallet-coinbase[.]com</p></td></tr></tbody></table>

# References

[**PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks**](https://thehackernews.com/2025/04/poisonseed-exploits-crm-accounts-to.html)

[**PoisonSeed uses CRM Accounts for Cryptocurrency ‘Seed Phrase Poisoning’ Attacks!**](https://www.cybernewsgroup.co.uk/2025/04/08/poisonseed-uses-crm-accounts-for-cryptocurrency-seed-phrase-poisoning-attacks/)
