A dangerous new phishing campaign called PoisonSeed is sweeping through CRM platforms and bulk email services—this time with cryptocurrency users in its crosshairs.
Instead of the usual malicious links, hackers are taking a sneakier approach. They’re tricking victims into handing over their crypto assets by sending them recovery seed phrases. These phrases act like private keys, granting full access to digital wallets. Once entered into a new device or wallet, the attacker can drain the funds instantly.
The campaign has been active for over a month, according to cybersecurity firm Silent Push. It’s targeting services like Mailchimp, Hubspot, Mailgun, SendGrid, and Zoho to spread phishing emails that appear to come from trusted crypto companies such as Coinbase and Ledger.
Fake Coinbase Alerts: The Hook
Most victims received emails claiming that Coinbase was transitioning users to self-custodial wallets. The emails urged them to transfer funds using a new seed phrase—but doing so handed control straight to the hackers.
What’s more alarming is that these phishing emails weren’t flagged by traditional filters. Why? Because they didn’t include any suspicious links or file attachments. Instead, the attackers cleverly embedded harmless-looking recovery phrases and prompted users to use them to set up new wallets.
Coinbase responded to the threat in mid-March, issuing a warning to its users: never use a recovery phrase sent to you by someone else. According to Silent Push, the damage has already reached an estimated $46 million in stolen crypto.
Compromised SendGrid Accounts Used as Launchpads
Silent Push revealed that the phishing emails were sent via a hacked Akamai SendGrid account. This same account was also used to send out phishing emails to other SendGrid customers—likely in an attempt to hijack even more email credentials for large-scale attacks.
The investigation uncovered 49 unique domains tied to the PoisonSeed operation. These domains targeted Ledger wallet users as well, expanding the scope of the campaign beyond just Coinbase.
A Web of Connections: From Mailchimp to Scattered Spider
Cybersecurity experts also found connections to earlier phishing attacks. One notable incident involved Troy Hunt, the creator of Have I Been Pwned?, who was caught in a Mailchimp phishing scam in late March. That attack used a fake Mailchimp domain: mailchimp-sso[.]com.
This domain has been flagged for malicious activity dating back to 2022, and it has links to a notorious threat actor known by many names—Scattered Spider, UNC3944, Starfraud, and Muddled Libra.
But here’s where it gets more complex: Silent Push believes PoisonSeed is likely a separate threat. While it shares infrastructure similarities with older phishing campaigns, the methods and targets differ. Scattered Spider tends to hit different brands, and though CryptoChameleon’s phishing kits might be in play, the behavior doesn’t match past patterns exactly.
What This Means for Crypto and Email Security
The PoisonSeed phishing campaign is a serious reminder of how cybercriminals continue to innovate. By compromising trusted platforms like SendGrid and Mailchimp, attackers can sneak their messages into inboxes with little resistance.
The shift from using suspicious links to manipulating seed phrases shows how threat actors adapt to bypass detection tools.
If you’re a user of platforms like Coinbase or Ledger, stay alert. Always safeguard your seed phrase. Never trust recovery information sent by email—especially if it seems to come from a legitimate service.
