We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: Holiday.com, ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Phishing Scam "PoisonSeed" Uses Email Marketing Accounts

Phishing Scam
Author Image Anka Markovic Borak
Anka Markovic Borak First published on April 11, 2025 Writer and Quality Assessor

Corporate email marketing accounts have been compromised and used in a phishing campaign known as "PoisonSeed," which is targeting cryptocurrency users and spreading fraudulent wallet seed phrases. The attacks were initiated in March 2025 and targeted Coinbase and Ledger users globally.

Security researchers at SilentPush identified that attackers are using hijacked accounts from services like Mailchimp, HubSpot, SendGrid, Mailgun, and Zoho to send phishing messages that appear legitimate.

The attackers first target users with access to CRM and bulk email platforms, deceiving them into entering their credentials on spoofed login pages. These pages on lookalike domains, such as mailchimp-sso[.]com, allow attackers to steal credentials and take over accounts.

Once they've gained access, the attackers export mailing lists and generate new API keys so they can continue to have control of the account even if the user updates their password. They then send crypto-themed phishing emails to the harvested lists, prompting users to enter their funds into a new wallet as part of a necessary migration or upgrade. As part of this move, they are asked to enter a provided seed phrase.

If someone follows the steps in the email, they are involuntarily putting the attacker entirely in charge of their funds. Instead of being linked to a new safe wallet, the seed is instead being used by a wallet under the scammer’s control.

Although the PoisonSeed campaign seems to be in accordance with the tactics used by threat actors like CryptoChameleon and Scattered Spider, SilentPush attributes it to a different actor based on their infrastructure and code.

The campaign also comes on the back of recent email marketing account breaches — such as the late March breach of Troy Hunt's Mailchimp account and a subsequent SendGrid account breach related to Akamai — where the attackers utilized legitimate credentials to send crypto-themed phishing messages.

Users are advised to ignore emails requesting immediate crypto action and log in directly into their accounts to check for updates, as genuine crypto exchanges will never send users a seed phrase. Moreover, wallets should always be self-generated and kept private.

About the Author

Anka Markovic-Borak is a writer and quality assessor at vpnMentor, who leverages her expertise to write insightful articles on cybersecurity, driven by her passion for protecting online privacy. She also ensures articles written by others are reaching vpnMentor's high standards.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

This field must contain more than 50 characters

The field content should not exceed 1000 letters

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address