A large-scale phishing campaign, dubbed PoisonSeed, has been compromising corporate email marketing accounts to distribute emails that contain crypto wallet seed phrases used to drain cryptocurrency funds.
According to cybersecurity researchers at SilentPush, the campaign targets popular cryptocurrency platforms like Coinbase and Ledger, using compromised accounts at major email marketing services such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. The attackers exploit the legitimate platforms to send phishing emails to unsuspecting users, urging them to take actions that ultimately result in the theft of their digital assets.
The PoisonSeed campaign is linked to earlier incidents, including the recent compromise of security expert Troy Hunt's Mailchimp account and the hack of an Akamai SendGrid account. Researchers note that, while PoisonSeed shares similarities with operations by threat groups like CryptoChameleon and Scattered Spider, it is classified as a separate campaign due to unique code and attack strategies.
The attack begins with the identification of high-value targets with access to customer relationship management (CRM) platforms or bulk email accounts. The victims are then targeted with phishing emails that appear to come from legitimate sources. The attackers use spoofed email addresses and carefully crafted fake login pages, hosted on domains like mail-chimpservices[.]com and mailchimp-ssologin[.]com, to steal login credentials.
Once attackers gain access to the target accounts, they export mailing lists and generate new API keys to maintain access, even if the victim changes their password. They then use the compromised accounts to send crypto-themed phishing spam to the mailing lists. The emails often include misleading alerts, such as “Coinbase is transitioning to self-custodial wallets,” prompting recipients to enter their Coinbase wallet seed phrases into a fake crypto wallet as part of an alleged upgrade.
Victims who follow the instructions unknowingly hand over access to their funds, as the seed phrase they enter is not from Coinbase, but from a wallet controlled by the attackers. The attackers can then drain the wallet of all assets, transferring the stolen cryptocurrency to their own accounts.
