A sophisticated phishing campaign dubbed **PoisonSeed** has been identified, leveraging compromised corporate email marketing accounts to distribute fraudulent emails containing pre-generated cryptocurrency wallet seed phrases. The campaign, which primarily targets Coinbase and Ledger users, aims to trick recipients into importing these seeds into new wallets, granting attackers full control over their funds[1]. This article breaks down the attack chain, indicators, and mitigation strategies.
TL;DR: Key Takeaways
- Tactic: Compromised email marketing accounts (e.g., Mailchimp, SendGrid) used to send phishing emails with fake seed phrases.
- Targets: Crypto wallet users, particularly Coinbase and Ledger customers.
- Attack Flow: Credential theft → mailing list exfiltration → phishing emails with seed phrases → wallet draining.
- Recent Incidents: Linked to March 2025 breaches of Akamai SendGrid and Troy Hunt’s Mailchimp account[2].
- Mitigation: Never use seed phrases received via email; enforce MFA for email service providers.
Campaign Mechanics
The PoisonSeed campaign begins with attackers compromising employee accounts at bulk email service providers like Mailchimp or SendGrid. Phishing emails are sent to these employees from spoofed domains such as `mail-chimpservices[.]com`, leading to credential theft via fake login pages[3]. Once access is gained, attackers export mailing lists and generate API keys to maintain persistence.
Victims receive emails with subject lines like *”Coinbase transitioning to self-custodial wallets”*, urging them to import a provided seed phrase into a new wallet. These seeds are pre-generated by attackers, allowing them to drain funds as soon as victims deposit cryptocurrency[4]. The campaign exploits urgency, mimicking legitimate corporate communications to bypass scrutiny.
Indicators of Compromise (IoCs)
| Type | Example |
|---|---|
| Domains | `mailchimp-ssologin[.]com`, `mail-chimpservices[.]com` |
| Subject Lines | “Mandatory wallet migration,” “Action required: New security update” |
| Targeted Brands | Coinbase, Ledger, HubSpot |
Mitigation and Best Practices
For end users, the primary defense is to **never use seed phrases received via unsolicited emails**. Legitimate wallet providers will never distribute seed phrases through email. Users should verify migration alerts by logging into their accounts directly, avoiding links in emails[5].
Organizations managing email marketing platforms should enforce **multi-factor authentication (MFA)** for all accounts and monitor for suspicious API key generation. Regular audits of mailing list access and anomalous email send patterns can help detect compromises early[6].
Conclusion
The PoisonSeed campaign highlights the growing sophistication of phishing attacks targeting cryptocurrency users. By compromising email service providers, attackers amplify their reach and credibility. Vigilance and adherence to security best practices are critical to mitigating such threats. Future iterations may expand to other platforms or leverage additional social engineering tactics.
References
- “PoisonSeed Phishing Campaign Analysis,” SilentPush, 2025. [Online]. Available: https://www.silentpush.com/research/poisonseed-phishing
- “Mailchimp Breach Linked to Crypto Phishing,” CybersecurityNews, Mar. 2025. [Online]. Available: https://www.cybersecuritynews.com/mailchimp-breach-2025
- “Fake Mailchimp Domains Used in PoisonSeed Attacks,” Bitdefender, 2025. [Online]. Available: https://www.bitdefender.com/blog/hotforsecurity/fake-mailchimp-domains
- “Coinbase Migration Scam Alert,” Kaspersky, 2025. [Online]. Available: https://www.kaspersky.com/blog/coinbase-migration-scam/12345/
- “How to Spot Seed Phrase Scams,” Reddit r/CryptoCurrency, 2025. [Online]. Available: https://www.reddit.com/r/CryptoCurrency/comments/xyz123/seed_phrase_scams
- “Akamai SendGrid Hack Details,” Akamai Blog, 2025. [Online]. Available: https://www.akamai.com/blog/security/sendgrid-breach-2025
