A malicious campaign named PoisonSeed is exploiting compromised credentials linked to customer relationship management (CRM) tools and bulk email providers, with the aim of sending spam emails containing cryptocurrency seed phrases. This initiative is part of a broader cybercrime effort that not only endangers organizations involved in cryptocurrency but also aims at various enterprises across sectors.
According to analysis by Silent Push, recipients are subjected to a cryptocurrency seed phrase poisoning attack. The attackers provide security seed phrases designed to mislead potential victims into copying them into new cryptocurrency wallets, putting their digital assets at risk. The campaign has targeted companies such as Coinbase and Ledger, as well as popular bulk email platforms including Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho.
The PoisonSeed activity is assessed to be separate from two other known adversaries, Scattered Spider and CryptoChameleon, although these actors are all part of a larger cybercriminal ecosystem dubbed The Com. Previously, some facets of the PoisonSeed campaign were noted in disclosures by security researcher Troy Hunt and reported by Bleeping Computer.
Attackers engage in setting up lookalike phishing pages for well-known CRM and email platforms to deceive high-value targets into revealing their login credentials. Once obtained, the attackers may create API keys to maintain access, even if the original passwords are reset by the compromised account owners. The threat has raised alarms and suggests a sophisticated shift in tactics among cybercriminals aiming to exploit vulnerabilities within trusted platforms.
Subsequently, attackers may leverage automated tools to export mailing lists from the compromised accounts, sending spam messages that urge users to establish new wallets on platforms like Coinbase using the seed phrases embedded in those emails. By hijacking accounts via this recovery phrase, they can ultimately facilitate unauthorized fund transfers from the victims’ wallets.
An analysis of the phishing kit used in the PoisonSeed campaign revealed no direct similarities with those utilized by Scattered Spider or CryptoChameleon, indicating a potentially new actor employing similar methodologies. This raises questions about the evolving landscape of cyber threats, especially as attackers find novel ways to circumvent security protocols.
This development comes amidst reports of Russian-speaking threat actors utilizing phishing pages hosted on Cloudflare services to distribute malware capable of remotely commandeering Windows machines. A previous phase of that campaign also involved disseminating the StealC information stealer, further complicating the security landscape. As cyber threats continuously evolve, it is crucial for individuals and organizations alike to remain vigilant against such tactics.