New Phishing Scam Targets Crypto Users Through Trusted Email Platforms

A new phishing campaign is making the rounds, targeting CRM platforms and bulk email providers to spread fake messages aimed at cryptocurrency users. The scam, dubbed “PoisonSeed,” is specifically designed to go after cryptocurrency holders by tricking them into handing over access to their wallets.

Instead of using the usual method of sneaky links, this campaign does something different: it provides victims with what looks like a legitimate crypto seed phrase—a string of words that acts like a master key to your digital wallet. But in reality, using that phrase gives the attacker full control of your funds.

The cyber intelligence team at Silent Push discovered that major email platforms like Mailchimp, Hubspot, SendGrid, Mailgun, and Zoho were being abused to send these phishing emails. The targets? Users of well-known crypto services like Coinbase and Ledger.

For the past month or so, people have been getting fake emails pretending to be from Coinbase, claiming the company is moving users to “self-custodial” wallets and asking them to create a new wallet using a provided recovery phrase. What’s dangerous is that the emails don’t contain suspicious links—which helps them avoid spam filters—but instead use social engineering and seemingly valid information to fool recipients.

Coinbase issued a warning in mid-March, reminding users to never enter a seed phrase given to them by anyone else. Unfortunately, by then, it’s estimated that victims had already lost about $46 million in crypto through this scheme.

The emails were traced back to a compromised SendGrid account, which attackers also used to target other companies’ email systems—likely hoping to expand their scam using even more trusted platforms.

Digging further, researchers identified 49 unique phishing domains connected to the PoisonSeed campaign, including some targeting Ledger wallet users. One of those domains even mimicked Mailchimp’s login system and was linked to an earlier phishing attack on security expert Troy Hunt (of Have I Been Pwned? fame).

Interestingly, the attackers seem to have ties—or at least similarities—to known cybercrime groups like Scattered Spider (aka UNC3944, Starfraud, or Muddled Libra). While there’s overlap with previous phishing tools like CryptoChameleon, Silent Push believes PoisonSeed is likely a separate group with its own playbook.

Note: Want help staying anonymous and protected online? AstrillVPN adds an extra layer of security to keep you safe from phishing threats and protect your browsing data—especially when accessing crypto platforms.