- Cyber Syrup
- Posts
- PoisonSeed Campaign Abuses CRM Tools and Bulk Email Providers to Launch Cryptocurrency Wallet Attacks
PoisonSeed Campaign Abuses CRM Tools and Bulk Email Providers to Launch Cryptocurrency Wallet Attacks
Cybersecurity researchers have uncovered a malicious campaign, dubbed PoisonSeed, that leverages compromised CRM tools and email service credentials to distribute spam containing fraudulent cryptocurrency seed phrases
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Find out why 1M+ professionals read Superhuman AI daily.
In 2 years you will be working for AI
Or an AI will be working for you
Here's how you can future-proof yourself:
Join the Superhuman AI newsletter – read by 1M+ people at top companies
Master AI tools, tutorials, and news in just 3 minutes a day
Become 10X more productive using AI
Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.
PoisonSeed Campaign Abuses CRM Tools and Bulk Email Providers to Launch Cryptocurrency Wallet Attacks
Cybersecurity researchers have uncovered a malicious campaign, dubbed PoisonSeed, that leverages compromised CRM tools and email service credentials to distribute spam containing fraudulent cryptocurrency seed phrases. The campaign aims to trick recipients into creating wallets using pre-seeded recovery phrases, which are later hijacked by the attackers to drain funds.
Overview: How PoisonSeed Works
According to researchers at Silent Push, the PoisonSeed campaign targets both individuals and enterprise organizations, including entities outside the cryptocurrency industry. The attackers gain access to bulk email platforms and customer relationship management (CRM) systems and use them to send spam messages at scale.
These spam messages embed seed phrases, luring users into creating a new cryptocurrency wallet, under the guise of resetting or securing their account. The catch? That wallet is fully accessible to the attacker, since they control the seed phrase.
“PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising,” Silent Push noted.
Compromised Services and Targets
PoisonSeed’s operation targets several legitimate services, including:
CRM platforms: HubSpot, Zoho
Bulk email providers: Mailchimp, SendGrid, Mailgun
Cryptocurrency firms: Coinbase, Ledger
The attackers set up phishing pages mimicking these services, tricking employees or users into handing over credentials. Once access is gained, they:
Generate an API key for long-term persistence (surviving password resets)
Export mailing lists via automation
Send spam from the compromised accounts to trusted contacts and clients
These emails instruct recipients to create new Coinbase or Ledger wallets using the seed phrases included—phrases that the attacker already knows and intends to use to steal the funds once they are deposited.
Social Engineering and Tradecraft
The PoisonSeed campaign bears similarities to known threat actors such as Scattered Spider and CryptoChameleon, both of which are affiliated with a larger cybercrime network known as The Com.
Shared Indicators:
Use of phishing domains like
mailchimp-sso[.]com, previously linked to Scattered SpiderConsistent targeting of Coinbase and Ledger, as seen in CryptoChameleon activity
However, PoisonSeed uses a distinct phishing kit, suggesting that it could either be:
A new version of CryptoChameleon’s toolkit, or
A separate threat actor copying techniques from others within the same ecosystem
Expanding Threat: Infrastructure and Malware Deployment
In parallel with the PoisonSeed campaign, security researchers have observed other social engineering campaigns deploying malware via phishing pages hosted on Cloudflare Pages.Dev and Workers.Dev.
These campaigns, attributed to a Russian-speaking threat actor, use legitimate branding and protocols to bypass security systems.
Attack Technique:
Phishing lure pretends to be a DMCA takedown notice from Cloudflare
Uses the ms-search protocol to deliver a malicious
.lnkfile disguised as a.pdfOnce executed:
Malware contacts a Telegram bot with the victim’s IP address
Transitions to Pyramid C2 infrastructure for remote control
In some cases, deploys StealC, a powerful information-stealing malware
These developments demonstrate that email platforms and cloud hosting services are being increasingly exploited to deliver both credential harvesting schemes and remote access malware.
Why This Matters
The PoisonSeed campaign represents a shift in strategy among cybercriminals—compromising upstream service providers like CRM platforms and bulk email vendors to deliver attacks at scale.
By abusing trust in legitimate platforms, these actors:
Increase their chances of bypassing spam filters
Improve the authenticity of their phishing lures
Amplify their reach across business networks
Moreover, by embedding pre-seeded wallet phrases in the messages, attackers bypass traditional credential theft entirely, focusing instead on wallet takeover via social engineering.
How to Protect Against These Attacks
Organizations and individuals can defend against PoisonSeed-style campaigns by implementing a few key best practices:
For Individuals:
Never use seed phrases from an external or unknown source
Use official wallet applications and create seed phrases locally
Beware of emails prompting urgent wallet resets or account changes
For Organizations:
Implement multi-factor authentication on CRM and bulk email platforms
Regularly audit API keys and user access
Educate staff about phishing threats and social engineering
Use email security solutions that detect spoofed domains and malicious links
Final Thoughts
PoisonSeed reflects an increasingly sophisticated threat landscape, where attackers combine supply chain compromise, phishing, and cryptocurrency fraud to achieve their goals. As attackers target trust-based systems like email platforms and CRMs, maintaining security awareness and platform-level protections becomes more critical than ever.