Full Report
A large-scale phishing campaign dubbed 'PoisonSeed' compromises corporate email marketing accounts to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets. [...]
Analysis Summary
# Threat Actor: PoisonSeed Campaign (Implied Threat Actor/Tactic Group)
## Attribution & Identity
The provided text describes a specific phishing campaign named "PoisonSeed," but does not attribute it to a known, named threat actor group or provide specific attribution details beyond the campaign's methodology.
## Activity Summary
The PoisonSeed campaign focuses on credential harvesting, primarily targeting users of email marketing platforms like MailChimp. Initial compromise involves phishing emails designed to steal platform credentials. Once access is gained, attackers export mailing lists and generate new API keys to maintain persistence. These compromised accounts are then weaponized to send subsequent, highly specific cryptocurrency-themed phishing spam to the compiled mailing lists. The goal of this secondary phase is to trick victims into entering wallet seed phrases into attacker-controlled wallets, resulting in the theft of their cryptocurrency assets.
## Tactics, Techniques & Procedures
- **Phishing:** Use of emails containing deceptive content to steal credentials.
- **Credential Access:** Stealing credentials for email marketing services (e.g., MailChimp).
- **Persistence:** Generating new API keys on compromised accounts to ensure continued access.
- **Lateral Movement/Internal Campaigning:** Using compromised accounts to send spam to extracted mailing lists.
- **Deception/Social Engineering:** Presenting urgent crypto migration/upgrade scenarios (e.g., "Coinbase is transitioning to self-custodial wallets") that require the victim to input a seed phrase.
- **Theft of Assets:** Tricking users into transferring crypto into attacker-controlled wallets using attacker-supplied seed phrases.
*Note: Specific general MITRE ATT&CK IDs are not explicitly listed in the text, but the activities align closely with the Phishing (T1566) tactic.*
## Targeting
- **Sectors:** Cryptocurrency users, likely those utilizing services like Coinbase, and users of email marketing platforms (specifically MailChimp mentioned).
- **Geography:** Not specified.
- **Victims:** MailChimp customers (in the initial entry vector) and cryptocurrency holders.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned, the primary vector is credential harvesting via phishing pages.
- **Infrastructure (C2, domains, IPs):**
- Fake login pages hosted on domains mimicking legitimate services.
- Example domains associated with MailChimp targeting: `mail-chimpservices[.]com`, `mailchimp-sso[.]com`, `mailchimp-ssologin[.]com`.
## Implications
This campaign represents a sophisticated two-stage attack: first compromising a legitimate business service (email marketing) for access, and then leveraging that trusted channel to execute highly targeted financial fraud against end-users (cryptocurrency theft). The use of shared wallet seed phrases makes immediate fund draining highly likely upon victim compliance, indicating a focus on high-value, immediate financial gain.
## Mitigations
- Ignore urgent requests received via email; independently verify platform statuses by manually navigating to the legitimate sites.
- Cryptocurrency wallet users must **never** use a seed phrase provided by anyone else.
- Legitimate services will not send pre-generated seed phrases.
- Users should always generate their own unique seed phrases when setting up new wallets and never share them.