A new threat campaign named PoisonSeed is exploiting compromised login credentials from customer relationship management (CRM) platforms and mass email services to distribute spam messages featuring cryptocurrency seed phrases. This scheme aims to siphon funds from the digital wallets of unsuspecting victims.
According to an analysis by Silent Push, the bulk emails sent as part of this campaign aim to execute a cryptocurrency seed phrase poisoning attack. The malicious intent is to persuade recipients to copy and paste fraudulent security seed phrases into their newly created cryptocurrency wallets, thereby setting them up for future compromise.
Targets of this campaign include both large enterprises and individual users outside the cryptocurrency sector. Notable companies affected include well-known crypto firms such as Coinbase and Ledger, along with major bulk email providers like Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho.
This activity is assessed as distinct from notable cybercriminal groups such as Scattered Spider and CryptoChameleon, who are also linked to a broader network of cyber threats known as The Com. Aspects of this campaign were previously mentioned by security researcher Troy Hunt and reported by Bleeping Computer last month.
Methodologically, the attackers create phony phishing websites that closely resemble well-known CRM and mass email providers. This tactic aims to deceive high-value individuals into revealing their login credentials. Upon acquiring these credentials, the adversaries are able to generate API keys, allowing ongoing access even if the initial passwords are eventually reset by their rightful owners.
Following the compromise of CRM platforms, the attackers utilize automated tools to export mailing lists and subsequently distribute spam from the compromised accounts. These spam messages often instruct users to establish new Coinbase wallets using specific seed phrases embedded in the email content, leading to further risks.
The ultimate objective of these attacks is to exploit the recovery phrases for unauthorized access to victims’ accounts, allowing for the theft of funds stored within. Links to both Scattered Spider and CryptoChameleon are established through the use of the domain “mailchimp-sso[.]com,” previously identified as used by Scattered Spider, while CryptoChameleon’s historical targeting of brands like Coinbase and Ledger adds context to the threats posed.
Notably, the phishing toolkit employed by PoisonSeed does not appear to share similarities with those used by the aforementioned groups, raising the possibility that it represents a new method developed by CryptoChameleon or a different entity altogether employing similar techniques.
This development coincides with activity from a Russian-speaking threat actor observed deploying phishing pages on Cloudflare services to disseminate malware that enables remote control of infected Windows devices. Notably, a previous instance of this campaign was linked to distributing StealC, a credential-stealing malware.
The recent campaign employs Cloudflare-branded phishing sites designed to mimic DMCA takedown notifications circulated across multiple domains, as reported by Hunt.io. These lures exploit the ms-search protocol to deliver a malicious LNK file disguised as a PDF. Once executed, the malware contacts a Telegram bot controlled by the attacker, transmitting the victim’s IP address before transitioning to a more sophisticated command-and-control framework.
