PoisonSeed Hijacks CRM Accounts to Distribute Malicious Cryptocurrency Seed Phrases

A malicious campaign known as PoisonSeed is exploiting compromised credentials from customer relationship management (CRM) platforms and bulk email providers to distribute spam messages containing cryptocurrency seed phrases. The goal is to deceive recipients into revealing sensitive information and ultimately drain their digital wallets.

“Recipients of the bulk spam are being targeted with a cryptocurrency seed phrase poisoning attack,” explained Silent Push in its analysis. “PoisonSeed sends out fake security seed phrases, hoping victims will copy and paste them into newly created cryptocurrency wallets, which attackers can later access and compromise.”

The campaign targets both enterprises and individuals outside the cryptocurrency space. Notable victims include crypto companies such as Coinbase and Ledger, as well as bulk email providers like Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho.

PoisonSeed’s activity is considered separate from other known threat groups like Scattered Spider and CryptoChameleon, both of which operate under the broader cybercrime collective known as The Com. Portions of this campaign were previously reported by security researcher Troy Hunt and Bleeping Computer last month.

The attack method involves creating convincing phishing pages that mimic legitimate CRM and bulk email service login portals. Once a target’s credentials are captured, the attackers generate API keys to maintain persistent access—even if the user resets their password.

In the next phase of the campaign, the attackers export mailing lists—likely through automated tools—and send out spam directly from the compromised accounts. These post-CRM-compromise supply chain emails urge recipients to create a new Coinbase Wallet using a seed phrase embedded within the message.

The ultimate objective is to trick victims into using the attacker-supplied recovery phrase, allowing the threat actors to seize control of the wallets and transfer any funds. Connections to Scattered Spider and CryptoChameleon have been noted due to the use of the domain “mailchimp-sso[.]com,” previously linked to Scattered Spider, and CryptoChameleon’s known history of targeting Coinbase and Ledger.

However, the phishing kit employed by PoisonSeed does not match those used by either group. This suggests it could either be a newly developed phishing kit by CryptoChameleon or the work of an entirely separate actor adopting similar tactics.

This activity coincides with a separate campaign involving a Russian-speaking threat actor using Cloudflare’s Pages.Dev and Workers.Dev to host phishing sites that deliver malware capable of remotely controlling infected Windows machines. An earlier version of this operation also distributed the StealC information stealer.

“This recent campaign leverages Cloudflare-branded phishing pages themed around DMCA (Digital Millennium Copyright Act) takedown notices, served across multiple domains,” according to Hunt.io.

The lure exploits the ms-search protocol to download a malicious LNK file disguised as a PDF through a double extension. Once launched, the malware communicates the victim’s IP address to an attacker-controlled Telegram bot before handing over control to the Pyramid C2 framework.