PoisonSeed phishing campaign behind emails with wallet seed phrases

A large-scale phishing campaign dubbed 'PoisonSeed' compromises corporate email marketing accounts to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets. According to SilentPush, the campaign targets Coinbase and Ledger using compromised accounts at Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. The researchers link the campaign to recent incidents, such as the case of Troy Hunt's Mailchimp account compromise from late last month and an Akamai SendGrid account hack BleepingComputer reported in mid-March 2025, where the legitimate account was used to send out Coinbase seed phrase phishing emails. Although the PoisonSeed campaign shares similarities with operations by the CryptoChameleon and Scattered Spider threat actors, Silent Push categorizes it separately due to code differences and other differentiating factors. PoisonSeed attack chain The first step in the attack is to identify high-value targets with access to CRM and bulk email platforms ... Read full article.