Corporate email marketing accounts have been compromised and used in a phishing campaign known as “PoisonSeed,” which is targeting cryptocurrency users and spreading fraudulent wallet seed phrases. The attacks were initiated in March 2025 and targeted Coinbase and Ledger users globally.

Security researchers at SilentPush identified that attackers are using hijacked accounts from services like Mailchimp, HubSpot, SendGrid, Mailgun, and Zoho to send phishing messages that appear legitimate.

The attackers first target users with access to CRM and bulk email platforms, deceiving them into entering their credentials on spoofed login pages. These pages on lookalike domains, such as mailchimp-sso[.]com, allow attackers to steal credentials and take over accounts.

Once they’ve gained access, the attackers export mailing lists and generate new API keys so they can continue to have control of the account even if the user updates their password. They then send crypto-themed phishing emails to the harvested lists, prompting users to enter their funds into a new wallet as part of a necessary migration or upgrade. As part of this move, they are asked to enter a provided seed phrase.

If someone follows the steps in the email, they are involuntarily putting the attacker entirely in charge of their funds. Instead of being linked to a new safe wallet, the seed is instead being used by a wallet under the scammer’s control.

Although the PoisonSeed campaign seems to be in accordance with the tactics used by threat actors like CryptoChameleon and Scattered Spider, SilentPush attributes it to a different actor based on their infrastructure and code.

The campaign also comes on the back of recent email marketing account breaches — such as the late March breach of Troy Hunt’s Mailchimp account and a subsequent SendGrid account breach related to Akamai — where the attackers utilized legitimate credentials to send crypto-themed phishing messages.

Users are advised to ignore emails requesting immediate crypto action and log in directly into their accounts to check for updates, as genuine crypto exchanges will never send users a seed phrase. Moreover, wallets should always be self-generated and kept private.