Malware Campaign Spreads Fake Wallet Seed Phrases Through Hacked Mailing Lists

Threat analysts have uncovered a sophisticated, two-pronged malware campaign targeting victims both inside and outside of the crypto industry.

In a recent report, cyber intelligence firm Silent Push identified the PoisonSeed malware campaign, which initially targets the users of bulk email providers including Mailchimp and SendGrid.

In one case, a content creator was sent a fraudulent message that claimed their account had been restricted—and they were duped into providing their login details through a bogus but "pixel-perfect" website.

From here, their mailing lists are downloaded en masse, in a process that Silent Push describes as "extremely quick and likely automated."

The next step sees unsuspecting subscribers sent emails purporting to be from crypto exchange Coinbase, which claim that the exchange is "transitioning to self-custodial wallets."

A 12-word seed phrase is provided, which the victims of the scam are told to import into their account—but doing so would give malicious actors the freedom to drain all of the crypto out of their wallet.

One of the Mailchimp customers affected, Microsoft regional director Troy Hunt, said he received the phishing email when he was "really jet lagged and really tired," leaving him vulnerable.

Although the penny dropped that something wasn't right immediately after he entered his login details—and he promptly changed his password—the mailing list had already been exported.

"Reading it again now, that's a very well-crafted phish," Hunt wrote. "It socially engineered me into believing I wouldn't be able to send out my newsletter so it triggered 'fear,' but it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top."

Silent Push said that it is treating PoisonSeed as being distinct from two "loosely aligned threat actors" called Scattered Spider and CryptoChameleon—despite the fact these campaigns use similar phishing domains, and have targeted Coinbase and Ledger users in the past.

It's a sobering illustration that it isn't just consumers who need to be vigilant in the face of social engineering scams, but also content creators with large audiences for their newsletters.