Attackers bypass standard security filters by exploiting compromised email services.
In early April, cybersecurity researchers uncovered a new phishing campaign dubbed PoisonSeed, targeting CRM providers and mass email platforms. The primary victims of this operation are cryptocurrency wallet users—especially Ledger owners—whose data is being harvested through seemingly trustworthy email channels.
What makes this operation unique is that the attackers first compromise infrastructure of reputable email services like Mailchimp and SendGrid, then use these legitimate channels to distribute phishing emails. This technique bypasses standard spam filters and increases trust among recipients.
Technical analysis revealed that attackers gained access to administrative panels of these platforms and launched mass phishing campaigns using emails that appeared identical to official communications. These emails contained links to fake websites mimicking cryptocurrency platforms, including firmware update pages for Ledger. Victims were prompted to enter their seed phrases on these deceptive sites.
Researchers at Silent Push identified multiple malicious domains associated with the campaign, such as:
- mailchimp-sso[.]com
- hubservices-crm[.]com
The structure of directories on these sites was identical, suggesting a centralized and well-organized operation. Additional domains were also linked to data exfiltration: - nikafk244[.]com
- mysrver-chbackend[.]com
A key technical component was the malicious JavaScript embedded on the fake Ledger pages. This code captured the entered seed phrases and sent them to remote servers. It even included format validation for seed phrases to filter out incorrect or fake inputs, increasing the odds of capturing real wallet data.
The victims in this case are users who trust emails coming from big CRM platforms. This abuse of trusted infrastructure represents a new phase in phishing tactics—a form of supply chain compromise in the email ecosystem.
One particularly alarming aspect of PoisonSeed is its explicit focus on seed phrase theft. Unlike login credentials, a seed phrase gives full control over a user’s crypto assets. As a result, financial losses are instant and irreversible once the phrase is stolen.
While some parts of the campaign’s infrastructure resemble known groups like CryptoChameleon or Scattered Spider, analysts believe PoisonSeed is either a new autonomous group or a specialized subdivision within a larger entity referred to as “The Comm.”
In light of this incident, security experts recommend that organizations using CRM and email services implement additional verification layers and conduct thorough security audits to prevent supply chain-based intrusions.
