Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.” This campaign involves a two-pronged approach: compromising CRM and bulk email providers and deploying a novel “crypto seed phrase” phishing attack.
The PoisonSeed campaign has targeted a range of significant platforms. This includes cryptocurrency companies like Coinbase and Ledger, as well as CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The threat actors’ focus on email providers appears to be a strategic move to “provide infrastructure for cryptocurrency spam operations.”
A key element of the PoisonSeed campaign is a “cryptocurrency seed phrase poisoning attack.” In this attack, victims are presented with security seed phrases, with the intent to deceive them into copying and pasting these phrases into new cryptocurrency wallets, which the attackers can later compromise.
The Silent Push report indicates potential links between PoisonSeed and other known threat actors. Specifically, the report states that analysts have “detected similarities between PoisonSeed, Scattered Spider, and CryptoChameleon,” both of which are associated with “The Comm.” However, the report also clarifies that PoisonSeed is being classified distinctly due to “multiple unique data points distinguishing the two and a general lack of code commonalities between the groups.”
The report highlights specific instances that illustrate the PoisonSeed campaign’s tactics:
Screenshot of the phishing email sent to Troy Hunt
- Compromised Akamai SendGrid Account: In March 2025, an Akamai SendGrid account was compromised and used to send out cryptocurrency spam. Silent Push analysts further revealed that the compromised account also sent SendGrid phishing messages to at least one other enterprise organization, promoting the domain sso-account[.]com.
- Troy Hunt Phishing Attack: The PoisonSeed campaign targeted Troy Hunt, attempting to compromise his MailChimp account. The phishing email used a “Sending Privileges Restricted” lure to deceive Hunt.
- Sophisticated Phishing Pages: The threat actors created “pixel-perfect matches” of login pages for CRM and bulk email companies to steal credentials.
The PoisonSeed campaign demonstrates the evolving tactics of cybercriminals, combining the compromise of trusted email infrastructure with intricate cryptocurrency phishing schemes. The report by Silent Push emphasizes the importance of vigilance and highlights the complexities of tracking and attributing such sophisticated cyber threats.
