A new malicious campaign known as PoisonSeed is exploiting compromised credentials from customer relationship management (CRM) tools and bulk email providers to perpetrate cryptocurrency seed phrase poisoning attacks. The attackers send spam emails containing phony cryptocurrency seed phrases aimed at tricking victims into copying and pasting them into fraudulent wallets, which could result in draining their digital assets.

According to an analysis by Silent Push, the recipients are led into a cryptocurrency seed phrase poisoning scheme that prompts them to set up new wallets using the misleading phrases supplied in the spam messages. The campaign primarily targets enterprises and individuals, including those connected to well-known crypto companies like Coinbase and Ledger, as well as bulk email services such as Mailchimp and Hubspot.

The nature of PoisonSeed’s activities is distinct from other associated threat actors like Scattered Spider and CryptoChameleon, both of which are part of a larger cybercrime ecosystem. Earlier observations had highlighted the issue, with previous reports from security researcher Troy Hunt drawing attention to misleading emails linked to Coinbase.

The attacks utilize phishing web pages mimicking recognized CRM and email platforms to deceive high-value targets into surrendering their login information. Once compromised, these accounts allow the attackers to generate API keys, enabling continued access even if passwords are changed.

After accessing these accounts, attackers export mailing lists automatically, then bombard users with spam claiming the need to establish new Coinbase Wallets through the seed phrases embedded in those emails. The ultimate objective is to gain control of victims’ accounts and transfer funds by using the same counterfeit recovery phrases.

The link to Scattered Spider and CryptoChameleon arises from the usage of a domain associated with Scattered Spider, alongside CryptoChameleon’s history of targeting similar platforms. Nonetheless, the phishing kit leveraged by PoisonSeed does not align with past kits utilized by these actors, suggesting it could either be a new tool from CryptoChameleon or a different group employing comparable tactics.

A complementary development involves a Russian-speaking threat actor deploying phishing pages hosted on Cloudflare to distribute malware capable of remotely controlling infected Windows systems. This campaign also previously involved the distribution of information-stealing malware through lookalike phishing sites.

In summary, the PoisonSeed campaign demonstrates an evolving threat landscape where cybercriminals leverage advanced social engineering techniques and compromised business tools to target unsuspecting victims within the cryptocurrency realm and beyond.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.