Cybersecurity researchers have linked recent incidents to an ongoing crypto and bulk email provider phishing campaign. The campaign includes poisoning crypto seed phrases in an attempt to steal funds.
The cybersecurity platform Silent Push found that the PoisonSeed campaign targets both organizations and individuals. Threat actors are trying to obtain email lists from CRMs and bulk email providers and send bulk spam to potential victims.
Emails are designed to trick people into believing that they need to create a new crypto wallet, for which a new seed phrase is provided. A seed phrase is usually a 12-24-word combination that gives access to a wallet. None of the legitimate crypto companies ever sends seed phrases or asks for them. The rule of thumb is that the seed phrase should be kept offline and used only when a user needs to recover their wallet.
In either case, when PoisonSeed succeeds in tricking its victims into believing they need to create a new wallet and transfer their funds, crypto assets can be immediately stolen by using the same seed phrase that was provided in the email.
For example, the criminals sent emails claiming that the major crypto exchange Coinbase is transitioning to self-custodial wallets, meaning that their users would be responsible for securing their funds.
According to Silent Push, two previous incidents discovered by other cybersecurity researchers in March, involving Mailchimp and Coinbase phishing, were part of the same PoisonSeed campaign.
“When credentials are successfully phished for an email provider, PoisonSeed appears to automate the process of bulk downloading the email lists,” Silent Push added.
However, according to them, this campaign is not related to similar campaigns such as Scattered Spider, which has been targeting crypto companies since 2023, or CryptoChameleon, which targeted Coinbase and hardware wallet manufacturer Ledger.
The researchers noted that Scattered Spider continues to conduct attacks in ways similar to its legacy attacks, and none of the 2025 brands targeted by Scattered Spider align with PoisonSeed’s efforts. Meanwhile, CryptoChameleon attacks are performed quickly, contrary to PoisonSeed, which requires a delay until a victim creates a new wallet and transfers funds.
Your email address will not be published. Required fields are markedmarked