Full Report
A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims' digital wallets. "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push said in an
Analysis Summary
# Tool/Technique: PoisonSeed Campaign (Cryptocurrency Seed Phrase Poisoning)
## Overview
PoisonSeed is a malicious campaign that exploits compromised credentials for Customer Relationship Management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases. The goal is to trick recipients into using these "security" seed phrases in new crypto wallets, allowing the threat actors to hijack these wallets later and steal funds.
## Technical Details
- Type: Campaign / Technique
- Platform: Targeting users reliant on CRM and bulk email services (e.g., Coinbase, Ledger customers). Execution relies on compromised infrastructure (CRM/Email providers).
- Capabilities: Account takeover, credential harvesting via phishing, supply chain spam, cryptocurrency wallet hijacking.
- First Seen: Aspects previously disclosed in March 2025, analysis released April 2025.
## MITRE ATT&CK Mapping
The described actions primarily map to Initial Access (via compromise of legitimate service accounts) and Execution/Impact phases:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Though here it's content in an email)
- T1566.002 - Spearphishing Link (Use of lookalike phishing pages)
- **TA0003 - Persistence**
- T1133 - External Remote Services (Implied by maintaining access after password reset via API key)
- **TA0005 - Defense Evasion**
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts (Compromise of CRM/Email provider accounts)
- **TA0011 - Command and Control** (Implicit in the use of compromised email infrastructure for C2/distribution)
## Functionality
### Core Capabilities
- **Credential Harvesting:** Setting up lookalike phishing pages targeting CRM and bulk email service providers (Mailchimp, SendGrid, Hubspot, Zoho, etc.).
- **Account Takeover:** Utilizing stolen credentials to gain access to legitimate business accounts.
- **Persistence Mechanism:** Creating an API key post-compromise to maintain access even if the primary password is subsequently reset.
- **Supply Chain Spam:** Exporting mailing lists from compromised accounts and sending bulk spam to targets.
- **Seed Phrase Poisoning:** Embedding cryptocurrency recovery seed phrases within the spam emails, instructing victims to set up new wallets using these phrases.
### Advanced Features
- The end goal is the **hijacking of the victim's newly created wallet** using the same recovery phrase embedded in the email, allowing the actor to drain funds.
- The campaign leverages trusted business infrastructure (CRM/Email senders) for distribution, increasing the legitimacy of the spam.
## Indicators of Compromise
*Note: Specific hashes or IPs are not provided in the context, but structural indicators are listed.*
- File Hashes: [Not specified in context]
- File Names: [Not specified in context]
- Registry Keys: [Not specified in context]
- Network Indicators:
- Lookalike domain used: mailchimp-sso\[.\]com (Linked to previous use by Scattered Spider)
- Compromised CRM/Email provider accounts (e.g., Mailchimp, SendGrid, Hubspot, Zoho instances).
- Behavioral Indicators:
- Spam emails containing legitimate-sounding instructions to migrate to a *new* Coinbase Wallet using an embedded 12/24-word seed phrase presented as a "security seed phrase."
- API key creation observed on targeted CRM/Email service accounts post-compromise.
## Associated Threat Actors
- **PoisonSeed:** The name given to this specific campaign/activity cluster.
- **Potentially linked/sharing tradecraft with:**
- Scattered Spider (Due to shared domain usage identified by researchers).
- CryptoChameleon (Due to historical targeting overlap of Coinbase/Ledger).
- **Note:** The phishing kit used by PoisonSeed is *different* from those used by Scattered Spider or CryptoChameleon, suggesting it could be a novel actor or a new version from a known cluster.
## Detection Methods
- Signature-based detection: (Applicable only if the specific phishing kit artifacts are identified.)
- Behavioral detection: Monitoring for API key creation on user accounts within CRM/Email platforms, or unusual bulk mailing activity originating from compromised accounts.
- YARA rules: [Not specified in context]
- Content Scanning: Looking for emails containing complete 12/24-word phrases combined with instructions to create a new wallet.
## Mitigation Strategies
- **Prevention Measures:** Multi-Factor Authentication (MFA) implementation across all CRM and bulk email platform accounts.
- **Hardening Recommendations:**
- Employees should be trained to never input cryptocurrency seed phrases into *any* external input field or paste them into a new application, regardless of the source or stated purpose.
- Regular review of generated API keys associated with CRM/Email accounts.
- Zero Trust access policies for critical accounts.
- **Network Blocklisting:** If infrastructure indicators become public, blocklisting associated lookalike domains.
## Related Tools/Techniques
- Phishing Kits (General concept, though PoisonSeed uses a unique one).
- Supply Chain Compromise (Leveraging trusted platforms for malicious distribution).
- Previous related activity disclosed by Troy Hunt and Bleeping Computer involving Coinbase wallet migration phishing.