Unveiling the PoisonSeed Campaign – A Growing Threat to Cryptocurrency Security

Cybercriminals are constantly evolving their tactics, and the recent PoisonSeed campaign represents a sophisticated escalation in phishing operations targeting cryptocurrency wallets. This blog explores the key aspects of this emerging threat, its operational methods, and crucial protective measures to safeguard your digital assets.

What is the PoisonSeed Campaign?

The PoisonSeed campaign is a novel phishing operation first identified in March 2025 that leverages compromised credentials from customer relationship management (CRM) and bulk email providers to distribute fraudulent cryptocurrency seed phrases. Silent Push security researchers have classified PoisonSeed as distinct from other threat actors like Scattered Spider and CryptoChameleon, though it shares some similarities with groups connected to "The Comm" (also spelled "The Com"), a community of Western cybercriminals.

Major targets include enterprise organizations, VIP individuals outside the cryptocurrency industry, and cryptocurrency platforms like Coinbase and Ledger. The campaign exploits trusted email infrastructure from providers such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.

How Does PoisonSeed Work?

The campaign operates through a sophisticated multi-stage attack chain:

1. Credential Theft Through Convincing Phishing Pages

PoisonSeed operators create pixel-perfect phishing pages that closely mimic login portals of prominent CRM and bulk email platforms. When unsuspecting users enter their credentials on these fake pages, attackers gain access to powerful email distribution systems with established sender reputations.

2. Automated List Exfiltration and Persistence

Once credentials are compromised, the threat actors rapidly export mailing lists through what appears to be an automated process. Security researcher Troy Hunt, whose Mailchimp account was compromised in March 2025, confirmed the list export process was "extremely quick and likely automated."

To maintain access even if the victim resets their password, attackers create new API keys, ensuring persistent control over the compromised accounts.

3. Fraudulent Seed Phrase Distribution

Using the compromised email infrastructure, attackers send crypto-themed phishing emails containing alerts that urge immediate action. A common lure suggests that "Coinbase is transitioning to self-custodial wallets" and includes a pre-generated wallet seed phrase supposedly for migration purposes.

As Silent Push researchers explain: "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack. As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising."

4. Delayed Theft Through Poisoned Wallets

What makes this attack particularly insidious is its delayed nature. When victims use the provided seed phrase to create what they believe is a secure new wallet and transfer their assets into it, they're actually setting up a wallet that's already under the attackers' control. This allows the criminals to access and drain the wallet once funds are deposited.

Notable Incidents Connected to PoisonSeed

Several high-profile security incidents have been attributed to the PoisonSeed campaign:

• Troy Hunt's Mailchimp Account: The Have I Been Pwned administrator's Mailchimp account was compromised in March 2025, with attackers rapidly exporting his list of subscribers.

• Akamai SendGrid Breach: In March 2025, attackers compromised an Akamai SendGrid account to distribute Coinbase-themed phishing emails containing seed phrases aimed at cryptocurrency wallet holders.

• Extensive Targeting of Cryptocurrency Users: According to SC Media, the campaign has targeted both Coinbase and Ledger users through various compromised CRM accounts.

Why Is PoisonSeed Particularly Dangerous?

Several factors make the PoisonSeed campaign especially concerning:

1. Trusted Infrastructure Exploitation: By compromising legitimate email platforms with established sender reputations, phishing emails bypass many traditional security filters.

2. Delayed Theft Mechanism: Unlike traditional phishing that seeks immediate credentials, PoisonSeed's approach delays the theft until victims actively use the compromised seed phrases, making detection more difficult.

3. Irreversible Losses: Since cryptocurrency transactions are permissionless and decentralized, once funds are moved from a compromised wallet, they are permanently lost unless the attacker chooses to return them—an extremely unlikely scenario.

4. Sophisticated Technical Implementation: Analysis of PoisonSeed's phishing pages revealed sophisticated JavaScript that implements validation checks to ensure only properly formatted seed phrases are submitted, increasing the likelihood of collecting valid credentials.

Essential Protection Measures

To protect yourself against PoisonSeed and similar threats:

For Individual Cryptocurrency Users

1. Never Use Provided Seed Phrases: A legitimate cryptocurrency platform will never send pre-generated seed phrases via email. Always generate your own seed phrases when creating a new wallet.

2. Verify Communications Independently: Avoid clicking links in unsolicited emails, even if they appear to come from trusted sources. Instead, log in directly to the platform using its official URL or app.

3. Implement Hardware Wallets: Consider using hardware wallets for significant cryptocurrency holdings, as they provide an additional layer of security against remote attacks.

4. Enable All Available Security Features: Activate two-factor authentication, withdrawal delays, and address whitelisting when available on cryptocurrency platforms.

For Organizations

1. Monitor for IOCs: Implement monitoring for indicators of compromise related to PoisonSeed domains and infrastructure.

2. Strengthen Email Authentication: Ensure proper implementation of DMARC, DKIM, and SPF to reduce the risk of email spoofing.

3. Implement API Key Controls: Review and enforce strict controls on API key creation and usage for email marketing platforms.

4. Educate Staff: Train employees to recognize phishing attempts targeting CRM and email marketing credentials.

Conclusion

The PoisonSeed campaign represents a significant evolution in cryptocurrency phishing tactics, combining supply chain compromises with delayed-execution attacks that exploit fundamental trust in seed phrases. As cryptocurrency adoption grows, we can expect these sophisticated techniques to proliferate further.

For both individuals and organizations, maintaining vigilance, implementing multiple security layers, and following cryptocurrency security best practices remain essential defenses against emerging threats like PoisonSeed. Remember that in the cryptocurrency space, the responsibility for security ultimately falls on you—so stay informed, skeptical, and proactive.

Sources

1. BleepingComputer - "PoisonSeed phishing campaign behind emails with wallet seed phrases" (April 2025)

2. SilentPush - "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation" (April 2025)

3. The Hacker News - "PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks" (April 2025)

4. SC Media - "Massive PoisonSeed phishing campaign seeks extensive crypto theft" (April 2025)

5. GBHackers - "PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack" (April 2025)

6. TechRadar - "PoisonSeed campaign hijacks business CRM and email accounts to send out huge amounts of spam" (April 2025)

7. CybersecurityNews - "New PoisonSeed Attacking CRM & Bulk Email Providers in Supply Chain Phishing Attack" (April 2025)

8. SecurityAffairs - "PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and empty wallets" (April 2025)