Phishing Attack Targets Coinbase and Ledger Users with Pre-Generated Seed Phrases
Researchers have uncovered a large-scale phishing campaign known as PoisonSeed, in which scammers send pre-generated seed phrases to users of Coinbase and Ledger. The attackers compromise corporate accounts used for email marketing and, posing as legitimate senders, distribute fraudulent emails through hacked accounts on platforms like Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.
According to experts at SilentPush, these attacks primarily target Coinbase and Ledger users. The campaign may also be linked to a recent phishing attack on Troy Hunt, the founder of the data breach aggregator Have I Been Pwned, which resulted in the compromise of a Mailchimp mailing list, as well as a breach of Akamai’s account on SendGrid.
How the PoisonSeed Campaign Works
In the PoisonSeed campaign, hackers first identify potential victims who have access to CRM and mass email platforms. They do this by checking which email addresses companies use for marketing and newsletters and by finding employees in relevant positions.
These individuals are then targeted with spear-phishing attacks: emails are sent from spoofed addresses, and the included links lead to fake login pages that are carefully crafted to look legitimate. For example, in emails sent to Mailchimp clients, attackers used domains such as mail-chimpservices[.]com, mailchimp-sso[.]com, and mailchimp-ssologin[.]com.
Exploiting Compromised Accounts
If the attack is successful and credentials are obtained, the attackers export mailing lists and generate new API keys to maintain access to the compromised account, even if the victim quickly changes their password.
The hacked account is then used to send out mass phishing emails related to cryptocurrency, urging users to take immediate action. For instance, the emails may contain a pre-generated seed phrase for a Coinbase wallet and instruct the user to enter it into a new crypto wallet as part of an update or migration process. If the user follows these instructions and transfers funds to a new wallet using the provided seed phrase, they effectively give the scammers access to all their assets.
Security Recommendations
Experts remind crypto wallet users that they should never use third-party seed phrases under any circumstances. No reputable platform will ever send clients emails containing pre-generated seed phrases. Users should always generate their own seed phrases when creating wallets and never share them with anyone else.