TL;DR

Key Points

• Block known PoisonSeed infra and look-alikes; watch NiceNIC domains spoofing SendGrid/Mailchimp/SSO/crypto.

• Enforce phishing-resistant MFA (FIDO2/WebAuthn) for admins and any account that can send to customers.

• Instrument bulk email/CRM for list-export spikes and unauthorized API keys; alert in near-real time.

• Harden login flows against adversary-in-the-middle (AitM) proxies that steal MFA tokens/session cookies.

• Prioritize crypto-adjacent users (seed phrase = wallet recovery words) and marketing/IT roles for extra controls.

The story in 60 seconds

PoisonSeed is a financially motivated eCrime actor active since March 2025. They hijack bulk email/CRM and spoof login pages to steal credentials at scale, then pivot to cloud and crypto targets. They stand out by pairing supply-chain phish with seed-phrase poisoning and polished AitM kits.

Their kits proxy logins (adversary-in-the-middle) to capture MFA tokens and session cookies, use fake Cloudflare CAPTCHA pages, and automate list exports and API-key creation. Infrastructure churn is fast: NiceNIC registrations, WHOIS obfuscation, crypto/SSO theming.

Impact spans marketing (compromised senders), IT/admins (SSO/cloud), and crypto users (seed-phrase traps). Expect more domains, better spoofing, and continued use of compromised email providers through at least Sep 2025.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Why it matters

SOC

• Three cues: (1) rapid email-list exports or API-key creation in Mailchimp/SendGrid; (2) new domains matching {sendgrid|mailchimp|sso|coinbase|ledger} at NiceNIC or bulletproof hosts; (3) MFA-success followed by impossible travel / device change within minutes.

IR

• Triage: confirm supply-chain pivot (who sent what, from where).

• Preserve: mail/CRM audit logs, API-key creation events, phishing pages/HTML, TLS certs, and session tokens tied to AitM.

SecOps

• Controls: mandate FIDO2 for privileged + bulk-sender roles; conditional access by device key; outbound DNS/TLS SNI blocks for impersonation domains.

Strategic (leadership)

• Customer-trust risk via “legit” campaigns from your accounts; require executive sign-off on FIDO2 rollout and supplier attestations for MFA, logging, and export-rate limits.

See it in your telemetry

Network

• DNS/TLS SNI to newly registered domains resembling {sendgrid|mailchimp|sso|coinbase|ledger}; unusual egress to bulletproof ASNs.

• Short-lived TLS sessions to AitM infra immediately preceding new device/IP cookies for SSO.

Endpoint

Browser launching from email client → external login with redirected chain and new cookies; suspicious certificate chains; clipboard access on wallet pages.

Mail/Gateway

Authenticated sends from your tenant with unusual “From” permutations; sudden rise in bounces/blocks; DKIM/SPF valid but content/links off-brand.

SaaS/IdP

• Mailchimp/SendGrid: spikes in list exports; new API keys; permission grants outside change windows.

• IdP: MFA success + device change + geo shift within one session; step-up prompts bypassed via token replay.

High Impact, Quick Wins

• Ship security keys to the right people first. Start with admins, bulk senders, finance, and any crypto-adjacent user. Sell it: stops AitM where OTP apps cannot. Measure: % FIDO2 coverage on privileged accounts; AitM detections/week.

• Alert on export/API-key abuse now. Add hard thresholds and Just-In-Time approvals for list exports and key creation. Sell it: blocks the monetization step. Measure: MTTR from alert to containment; number of blocked high-risk actions.

• Pre-block look-alike domains. Deploy a curated denylist and pattern rules (registrar + keyword) at DNS/email/firewall. Sell it: reduces click-through and lateral abuse. Measure: block counts; reduction in user-reported phish; hit rate on newly registered look-alikes.

AlphaHunt

Ready to level up your intelligence game?

Sign Up!

Research

Executive Summary

PoisonSeed is a recently identified, financially motivated eCrime actor active since early 2025, targeting enterprise and cryptocurrency sectors through sophisticated credential theft and phishing operations. The group is responsible for high-profile compromises of bulk email providers (Akamai’s SendGrid, Troy Hunt’s Mailchimp), enabling large-scale supply chain phishing attacks. PoisonSeed’s campaigns are characterized by advanced phishing kits capable of pixel-perfect login page spoofing, adversary-in-the-middle (AitM) proxies for MFA bypass, and innovative seed phrase poisoning targeting cryptocurrency wallets.

While PoisonSeed shares some infrastructure and TTPs with groups like Scattered Spider and CryptoChameleon, current research (Silent Push, Troy Hunt, GBHackers) classifies it as a distinct entity due to unique phishing kit codebases and operational behaviors. The group’s infrastructure is notable for rapid domain registration (often via NiceNIC), use of bulletproof hosting, and WHOIS obfuscation. Technical indicators include domains mimicking SendGrid, Mailchimp, Coinbase, and other high-value targets, as well as IPs associated with phishing infrastructure.

PoisonSeed’s attack chain includes supply chain compromise (bulk email/CRM providers), credential harvesting, seed phrase poisoning, and MFA bypass via AitM proxies. The group automates email list exfiltration and API key creation for persistence, and employs fake Cloudflare CAPTCHA interstitials to increase phishing success and evade detection. Targeted sectors include cryptocurrency platforms, enterprise cloud services, financial services, and technology/IT.

Mitigation strategies focus on enforcing phishing-resistant MFA, integrating threat intelligence to block PoisonSeed infrastructure, monitoring for supply chain abuse (e.g., rapid email list exports, unauthorized API key creation), and enhancing user awareness of advanced phishing lures. Organizations should expect PoisonSeed to continue evolving its phishing kits, infrastructure, and social engineering tactics, with a likely increase in targeting of high-value user roles and supply chain vectors over the next 12–24 months. Attribution remains cautious, with high confidence in technical separation from related groups, but moderate confidence in ecosystem overlap.

Historical Context

PoisonSeed is a distinct eCrime threat actor first identified in early 2025, specializing in credential theft and phishing campaigns targeting enterprise and cryptocurrency sectors. The group’s operations have been linked to high-profile incidents involving the compromise of bulk email providers (e.g., SendGrid, Mailchimp) and subsequent supply chain phishing attacks. PoisonSeed’s campaigns are notable for their use of advanced phishing kits, infrastructure reuse, and innovative seed phrase poisoning techniques targeting cryptocurrency wallets. While some TTPs and infrastructure overlap with groups like CryptoChameleon and Scattered Spider, current research classifies PoisonSeed as a separate entity due to unique technical and operational characteristics.

Timeline

• March 2025: PoisonSeed compromises Akamai’s SendGrid account, launching phishing campaigns against enterprise and crypto targets.
• March 2025: Targeted phishing attack against Troy Hunt’s Mailchimp account, leading to rapid email list exfiltration and bulk spam.
• April–September 2025: Ongoing domain registrations, infrastructure expansion, and continued phishing operations targeting CRM, bulk email, and cryptocurrency platforms.

Origin

PoisonSeed is assessed as a financially motivated, Western-based eCrime group. While its infrastructure and some TTPs (e.g., use of NiceNIC registrar, obscene WHOIS fields) show overlap with The Comm collective (which includes Scattered Spider and CryptoChameleon), Silent Push and other primary sources explicitly classify PoisonSeed as a separate actor. There is no direct evidence from CrowdStrike, Google GTI, or CISA linking PoisonSeed as a sub-group or direct affiliate of Scattered Spider or CryptoChameleon, though operational similarities exist.

Countries Targeted

1. United States – Primary focus, especially for enterprise and crypto users.
2. United Kingdom – Targeted via CRM and bulk email provider phishing.
3. Canada – Noted in supply chain and crypto phishing campaigns.
4. Australia – Observed in enterprise and cloud service targeting.
5. European Union – Opportunistic targeting of financial and technology sectors.

Sectors Targeted

1. Cryptocurrency Platforms – Direct targeting of user wallets and seed phrases.
2. Bulk Email/CRM Providers – Initial access for supply chain phishing.
3. Enterprise Cloud Services – Credential harvesting for SSO and cloud accounts.
4. Financial Services – Account takeover and lateral movement.
5. Technology/IT – Infrastructure abuse and phishing infrastructure hosting.

Motivation

PoisonSeed is financially motivated, seeking to steal credentials and seed phrases for direct theft of cryptocurrency and monetization of compromised enterprise accounts. The group leverages compromised infrastructure to scale phishing operations and maximize financial gain.

Attack Types

• Phishing (Credential Harvesting): Pixel-perfect spoofing of login pages for CRM, bulk email, and crypto platforms.
• Seed Phrase Poisoning: Supplying victims with attacker-controlled seed phrases for future wallet compromise.
• MFA Bypass: Adversary-in-the-Middle (AitM) phishing kits intercepting credentials and MFA tokens.
• Supply Chain Attacks: Using compromised email providers to launch further phishing campaigns.
• Infrastructure Abuse: Rapid domain registration, use of bulletproof hosting, and WHOIS obfuscation.

Known Aliases

• PoisonSeed (primary, Silent Push)
• No direct aliases from CrowdStrike, Google GTI, or CISA. Silent Push explicitly distinguishes PoisonSeed from Scattered Spider and CryptoChameleon, despite infrastructure and TTP overlap.

Links to Other APT Groups

• Scattered Spider: Overlap in registrar choice, WHOIS patterns, and some infrastructure, but no direct code or campaign alignment. PoisonSeed is currently being classified separately due to multiple unique data points distinguishing the two and a general lack of code commonalities between the groups.
• CryptoChameleon: Similar targeting of crypto users and infrastructure, but PoisonSeed’s seed phrase poisoning and supply chain spam operations are unique. Alignment on infrastructure decisions is noted, but no current on-page code overlap; groups are kept separate until definitive information is acquired.

Similar Threat Actor Groups

• CryptoChameleon: VIP spear phishing, SIM swaps, and crypto theft, but with different operational tempo and phishing kit design.
• Scattered Spider: Big game hunting, ransomware, and corporate extortion, but not observed using seed phrase poisoning or supply chain spam as in PoisonSeed campaigns.

Breaches Involving This Threat Actor

• Akamai SendGrid Compromise: Used to launch phishing campaigns against Coinbase and other crypto users.
• Mailchimp Account Compromise (Troy Hunt): Led to rapid exfiltration of mailing lists and subsequent phishing.

Technical Indicators (IoCs), Phishing Kit Capabilities, and MFA Bypass Methods

Sample Domains and IPs (from Silent Push):

• active-mailgun[.]com
• barefoots-api[.]com
• cloudflare-sendgrid[.]com
• complete-sendgrid[.]com
• connect1-coinbase[.]com
• firmware-llive[.]com
• firmware-server12[.]com
• hubservices-crm[.]com
• iosjdfsmdkf[.]com
• mailchimp-sso[.]com
• mysrver-chbackend[.]com
• mywallet-cbupgrade[.]com
• nikafk244[.]com
• sso-account[.]com
• support-zoho[.]com
• 212.224.88[.]188
• 86.54.42[.]92

Phishing Kit Capabilities:

• Pixel-perfect spoofing of login pages for SendGrid, Mailchimp, Hubspot, Zoho, Coinbase, and Ledger.
• Use of fake Cloudflare CAPTCHA interstitials to increase legitimacy and evade detection.
• Automated email list exfiltration and API key creation for persistence in compromised accounts.
• Seed phrase poisoning: Supplying attacker-controlled seed phrases to victims for future wallet takeover.

MFA Bypass Methods:

• Adversary-in-the-Middle (AitM) phishing proxies intercepting credentials and MFA tokens.
• Real-time session hijacking and token theft.
• Use of encrypted victim emails in URLs and cookies to validate targets and evade automated scanner.

Recommendations, Actions, Suggested Pivots, Forecasts and Next Steps

(Subscribers Only)