A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
Silent Push, the cybersecurity firm that uncovered the elaborate campaign, linked it to a couple of recent phishing incidents — Troy Hunt’s MailChimp attack, and Coinbase phishing email tricks — representing two legs of the campaign resulting in crypto-theft.z
“PoisonSeed threat actors are targeting enterprise organizations and individuals outside the cyptocurrency industry,” Silent Push analysts said in a blog post. “Email providers appear to be targeted mainly to provide infrastructure for cyptocurrency spam operations.”
Crypto companies like Coinbase and Ledger were targeted, along with CRM and email providers such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.
Two phishes leading to crypto theft
The attack starts with the threat actor group setting up phishing pages for email providers, which were “pixel-perfect” matches for the real login, analysts said.
After setting up phishing pages, attackers sent targeted emails to specific addresses such as Troy Hunt’s “mailchimp@redacted,” which was solely used for his Mailchimp login. The phishing email used a “Sending Privileges Restricted” lure that seemed to have come from legitimate domains like mail-chimpservices[.]com, mailchimp-sso[.]com, and mailchimp-ssologin[.]com.
Once the credentials are stolen, PoisonSeed quickly downloads email lists, as in the case of Troy Hunt. Threat actors create a new API key to maintain persistence in case the victim resets credentials, Silent Push noted in the blog post.
In March 2025, Akamai’s SendGrid account was similarly compromised, leading to spam emails attempting a Coinbase-themed seed phrase poisoning attack. The phishing emails appeared to come from a genuine @akamai[.]com address, not spoofed, adding legitimacy to the scam.
The campaign claimed Coinbase was moving to self-custodial wallets and urged victims to set up new accounts. Attackers provided seed phrases, hoping users would reuse them, allowing attackers to recover and steal funds later.
Activities align with CryptoChameleon
While many threat researchers have linked PoisonSeed actors to Scattered Spider, Silent Push believes the alignment is more accurate with the CryptoChameleon advanced phishing kit from 2024.
The mailchimp-sso[.]com domain, which is the basis of the association made with Scattered Spider, was registered on Porkbun from the previous attack up until March 24, 2025, when it was re-registered on NiceNic, a registrar of choice for both Scattered Spider and CryptoChameleon, the analysts pointed out.
PoisonSeed’s cryptocurrency seed phrase poisoning attack utilizing a supply chain spam operation does not align with Scatter Spider TTPs, which Silent Push tracked as still active in 2025 with targeted brands including Credit Karma, Forbes, Nike, Louis Vuitton, and Vodafone.
On the other hand, CryptoChameleon heavily targets Coinbase and Ledger, just like PoinsonSeed, along with other crypto brands. Silent Push shared a list of indicators of future attacks (IOFA) associated with the PoisonSeed campaign and promised a much larger and real-time list exclusively to its customers.
No Responses