Ethical Hacking News
The recent 'PoisonSeed' phishing campaign has exposed thousands of unsuspecting crypto wallet users to malicious emails containing fake Coinbase seed phrases designed to drain their funds. Learn more about how this sophisticated phishing scam works and what can be done to prevent it.
The PoisonSeed phishing campaign targets high-value corporate email marketing accounts to distribute cryptocurrency seed phrases. The campaign uses fake login pages and crafts professionally designed phishing emails to obtain sensitive information from employees. The emails aim at Coinbase customers, tricking them into transferring their assets to the attackers' controlled wallets by using fake wallet seed phrases. Users should never use a seed phrase provided by someone else, as it's likely fake, and instead use secure pre-generated seed phrases from companies or exchanges. The campaign is sophisticated, with code differences that differentiate it from similar operations carried out by other threat actors.
PoisonSeed, a highly sophisticated phishing campaign, has been identified as a significant threat to cryptocurrency users and email marketing professionals alike. According to recent reports from SilentPush, a cybersecurity research firm, the PoisonSeed campaign is designed to compromise corporate email marketing accounts and use them to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets.
The PoisonSeed campaign specifically targets high-value targets with access to CRM and bulk email platforms. This involves identifying individuals in related positions within these companies by analyzing what email companies use for their newsletters or marketing campaigns, as well as finding employees who are responsible for managing these accounts. The threat actors then craft professionally designed phishing emails that appear to be legitimate, taking advantage of the recipient's trust.
These phishing emails often contain fake login pages hosted on carefully crafted domains designed to mimic the real company website. This trick is used to obtain sensitive information such as username and password credentials from unsuspecting employees. Once these credentials are obtained, the attackers export mailing lists from the compromised account, generate new API keys, and continue using the hijacked account to send targeted crypto-themed phishing spam.
The email campaigns aim at Coinbase customers. These emails contain fake alerts claiming that the recipient's wallet needs a migration to a self-custodial format in order to maintain security. However, these emails contain legitimate looking Coinbase wallet seed phrases which seem as if they are for an upgrade or migration of their current crypto wallet setup. It is however false, this phishing campaign aims at tricking users into transferring all their assets to the attackers' controlled wallets.
When a victim enters one of these seed phrases, they essentially hand over all of their digital assets to the attacker, who can then proceed to drain the funds out of their accounts. Cryptocurrency wallet users should be aware of this phishing scam and should never use a seed phrase provided by someone else as it's most likely fake.
To avoid falling prey to this phishing campaign, cryptocurrency wallet users should ensure that they are using a secure pre-generated seed phrase from their company or exchange whenever creating a new wallet. Additionally, never share your seed phrases with anyone else, even if you think it is for security reasons.
In addition to PoisonSeed, researchers also link the campaign to other recent incidents such as the case of Troy Hunt's Mailchimp account compromise and an Akamai SendGrid account hack reported by BleepingComputer in mid-March 2025. This further highlights the growing sophistication and complexity of phishing campaigns aimed at cryptocurrency users.
PoisonSeed stands out from its peers due to code differences and other distinct factors that differentiate it from similar operations carried out by CryptoChameleon and Scattered Spider threat actors. These factors highlight a new level of malicious ingenuity in this particular phishing campaign, demonstrating an even greater danger to the crypto community as a whole.
The use of compromised corporate email marketing accounts to send targeted phishing emails highlights the need for companies to be vigilant about cybersecurity threats, especially those related to email marketing. It also emphasizes the importance of educating employees on how to spot and report suspicious activity, ensuring that their security measures remain effective.
Furthermore, PoisonSeed showcases a growing threat landscape where cryptocurrency users are becoming increasingly vulnerable to sophisticated phishing scams. As such, it is essential for crypto wallet users and companies alike to stay informed about these threats and implement robust cybersecurity measures to protect against such attacks.
In conclusion, PoisonSeed represents a significant risk to cryptocurrency users who rely on email marketing platforms to manage their wallets. Understanding the tactics used by this phishing campaign can help prevent further attacks and safeguard user data, ensuring that individuals maintain control over their digital assets.
Related Information:
https://www.ethicalhackingnews.com/articles/PoisonSeed-A-Sophisticated-Phishing-Campaign-Exploiting-Corporate-Email-Marketing-Accounts-to-Drain-Cryptocurrency-Wallets-ehn.shtml
https://www.bleepingcomputer.com/news/security/poisonseed-phishing-campaign-behind-emails-with-wallet-seed-phrases/
Published: Fri Apr 4 13:00:41 2025 by llama3.2 3B Q4_K_M
