PoisonSeed - A Sophisticated Phishing Campaign Seeks Extensive Crypto Theft
PoisonSeed is a sophisticated phishing campaign uncovered by threat analysts, targeting enterprise organizations, VIPs, and cryptocurrency holders. Active in March 2025, it exploits CRM and bulk email providers like Mailchimp, SendGrid, and HubSpot to steal email lists and distribute spam. This includes a unique phishing tactic focused on ‘crypto seed phrases,’ designed to compromise cryptocurrency wallets.
Technical Description
PoisonSeed starts with highly targeted phishing emails that mimic legitimate login pages for services like Mailchimp and SendGrid. For example, a phishing email sent to Troy Hunt used a ‘Sending Privileges Restricted’ lure, directing him to sso-account[.]com, a nearly identical replica of SendGrid’s login page. These emails often come from compromised business accounts, boosting their credibility. Once the attackers phish credentials, they automate the export of email lists evidenced by Hunt’s swift list export notification and generate API keys for ongoing access, as seen in the compromise of his Mailchimp account on March 25, 2025. The early March 2025 Akamai SendGrid breach further highlights this, with attackers using the compromised account to send Coinbase phishing emails and additional SendGrid phishing attempts.
Crypto Seed Phrase Poisoning Technique:
A key tactic of PoisonSeed is its cryptocurrency seed phrase poisoning attack. Victims receive urgent emails, such as fake Coinbase wallet migration notices, prompting them to set up new self-custodial wallets. The phishing page presents pre-generated seed phrases for users to enter, which attackers later use to “recover” and drain the wallets. This was observed during the Akamai SendGrid breach, where email headers indicated @akamai[.]com as the sender, and phishing pages tricked users into updating Coinbase wallets with these malicious phrases. Similar Ledger phishing attempts, such as those on firmware-server12[.]com, deceived users into entering their seed phrases while pretending to be legitimate firmware updates.
Infrastructure and Command & Control (C2) Details:
PoisonSeed’s infrastructure is built on domains registered with unique WHOIS patterns, often through NICENIC INTERNATIONAL GROUP CO., LIMITED. Analysts identified domains like sso-account[.]com and hubservices-crm[.]com by matching phishing kit fingerprints, with unusual strings found in the WHOIS “State” fields. Command-and-control (C2) domains such as mysrver-chbackend[.]com and nikafk244[.]com were uncovered in Ledger phishing JavaScript. Common directories (/api, /api/2fa/verify) across phishing pages further linked the CRM and cryptocurrency campaigns, as confirmed by the analysis of mailchimp-sso[.]com following Hunt’s disclosure.
Differentiating PoisonSeed from Related Threat Actor:
While PoisonSeed shares similarities with CryptoChameleon and Scattered Spider—both linked to “The Comm”—it remains distinct. CryptoChameleon targets high-net-worth crypto holders with rapid cash-outs, unlike PoisonSeed’s approach, which involves delayed seed phrase attacks. Scattered Spider focuses on corporate ransomware, not individual crypto phishing, as demonstrated by its 2025 attacks on brands like Nike and Forbes. PoisonSeed’s phishing kits show no code overlapping with either group, indicating it could be a new or evolved actor. The reuse of mailchimp-sso[.]com, previously associated with Scattered Spider, remains inconclusive due to its re-registration in 2025.
Research and Monitoring Methodology
Researchers used WHOIS pivots and web scanning techniques to track PoisonSeed, uncovering 49 related domains. SSL certificate analysis of firmware-server12[.]com revealed command-and-control (C2) IPs. The campaign’s simultaneous targeting of CRM providers (Mailchimp, SendGrid) and cryptocurrency firms (Coinbase, Ledger) was traced through identical JavaScript paths and Akamai’s dual-purpose spam in March 2025, underscoring its strategy of exploiting supply chains.
Conclusion:
PoisonSeed is an innovative phishing threat that combines supply chain attacks with cryptocurrency fraud. Its capability to compromise bulk email providers for spam distribution, alongside a novel seed phrase poisoning method, makes it a notable advancement in phishing campaigns. Although it shares some infrastructure characteristics with CryptoChameleon and Scattered Spider, its distinct tactics and absence of kit overlap warrant its separate classification. Continuous monitoring by Silent Push, utilizing advanced WHOIS and web scanning techniques, highlights the importance of staying alert to this evolving threat.
Impact
PoisonSeed poses a serious threat, compromising enterprise email systems and exposing sensitive customer data, as demonstrated in the Troy Hunt and Akamai cases. It puts crypto holders at risk of financial loss through seed phrase theft and undermines organizational trust and operations by exploiting reputable platforms to distribute spam and phishing campaigns.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Execution, Initial Access |
| Technique Name | Execution: Command and Scripting Interpreter
Initial Access: Phishing |
| Sub Technique Name | Execution - Command and Scripting Interpreter: JavaScript
Initial Access - Phishing: Spearphishing Attachment, Spearphishing Link |
| Attack Type | Phishing Malware |
| Targeted Applications | Generic |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | Domain response-loginportal[.]com , mywallet-cbsmw[.]com , server9-sendgrid[.] net , rseponsequery[.]com , cloudflare-sendgrid[.]com , sso-account[.]com , rsep onse-manageprod[.]com , live-sso[.]com , mysite-clflre[.]com , mail-chimpservice s[.]com , connect5-coinbase[.]com , responsesendgrid[.]com , response-crmsg[.] com , active-mailgun[.]com , rseponse25-sendgrid[.]com , response20-sendgrid [.]com , swallet-coinbase[.]com , hubservices-crm[.]com , mysrver-chbackend[.]c om , firmware-llive[.]com , server9-mailgun[.]com , review-termsconditions[.]com , response16-sendgrid[.]com , complete-sendgrid[.]com , redirect-sso[.]com , firm ware-server12[.]com , myw-cbw[.]com , mailchimp-ssologin[.]com , password-pro xy-redirect[.]com , revokecblink[.]com , responseinquiry-tos[.]com , sso-signon[.]c om , mailchimp-sso[.]com , server9-hubspot[.]com , connect1-coinbase[.]com , s erver12-mchimp[.]com |
| CVE | NA |
Recommended Actions
- Block Malicious Domains: Continuously monitor and block known PoisonSeed-associated domains.
- Strengthen Email Security: Enable multi-factor authentication (MFA) on CRM and email platforms to safeguard against credential compromise.
- Review API Access: Conduct regular audits of API keys in services like Mailchimp, revoking any unused or suspicious keys to minimize unauthorized access.