PoisonSeed: How CRM Compromise is Seeding Crypto Theft Among the Unwary

A deceptive campaign is on the rise, targeting people who may never have considered owning cryptocurrency. Known as PoisonSeed, this threat uses hijacked CRM accounts to trick everyday users into setting up compromised digital wallets. Behind this attack lies a web of phishing, impersonation, and technical persistence that shows just how far threat actors are willing to go to plant a trap.

From CRM Credentials to Crypto Control

Threat actors behind PoisonSeed begin by targeting bulk email platforms and customer relationship management (CRM) tools like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. By mimicking login portals, attackers phish credentials from employees and users with access to these platforms. Once inside, they generate API keys to maintain long-term access, even if passwords are changed.

Armed with control over these accounts, the adversaries then export contact lists and launch widespread phishing emails. These messages, often spoofing legitimate communications from well-known crypto services like Coinbase and Ledger, encourage recipients to create a new cryptocurrency wallet using a “recovery phrase” provided in the email. The catch? That seed phrase is already known to the attackers.

A Victim Profile Beyond the Crypto World

What makes PoisonSeed so dangerous is its focus on individuals outside the usual cryptocurrency landscape. Employees, small business owners, and non-technical users receive these emails through trusted CRM sources, giving the messages an air of legitimacy. Many recipients aren’t even active in the crypto space, but the language of the email encourages them to set up wallets in case they wish to use crypto later.

Unaware that the provided seed phrase is pre-compromised, victims unknowingly create wallets that attackers can access and drain at any moment. This form of social engineering exploits both human trust and technical familiarity, creating a scenario where even crypto-skeptics fall victim.

Persistence, Malware, and Spoofing

The PoisonSeed campaign doesn’t stop at phishing. Some versions of the operation go further by using Cloudflare’s Pages.Dev and Workers.Dev to host spoofed sites, often themed around DMCA takedown notices, tricking recipients into downloading malicious files. These files, including .LNK shortcuts disguised as PDFs, install malware that communicates with attacker-controlled infrastructure via Telegram bots and Pyramid C2.

Though there are overlaps with threat groups like Scattered Spider and CryptoChameleon, PoisonSeed uses its own phishing kit and infrastructure. This suggests the rise of a new actor or at least an offshoot with a specific focus on CRM-based infiltration and seed phrase fraud.

How to Inoculate Your Organization

Protecting against PoisonSeed requires vigilance at both the organizational and individual levels:

• Enable multi-factor authentication (MFA) on all CRM and email marketing accounts.

• Monitor API key activity and audit third-party integrations regularly.

• Train employees to recognize phishing attempts, especially those mimicking login pages.

• Flag any email that includes a cryptocurrency seed phrase as suspicious.

• Review email-sending behavior for signs of mass mailings from CRM systems.

Remember: no legitimate wallet provider will ever send a seed phrase via email. If one arrives in your inbox, it’s not a gift. It’s a trap.

PoisonSeed reminds us that even users with zero crypto exposure can be drawn into cybercriminal schemes. As attackers expand their tactics, we must expand our awareness and defenses.

https://thehackernews.com/2025/04/poisonseed-exploits-crm-accounts-to.html?m=1