Table of contents

    Seed Poisoning: It’s not always about malicious Phishing URLs

    As email security researchers, we see many email attacks on a daily basis. The majority rely on malicious attachments containing malware or embedded links leading to phishing websites. But that’s not always the case. Some malicious emails contain neither malware nor phishing links, yet they still aim to steal your money. This article explores one such example of a lesser known threat type. In Q2 2025, we observed several large phishing campaigns targeting customers of the Coinbase cryptocurrency exchange. These emails used subject lines such as “Transitioning to Self-Custody Wallets” or “Migrate to Coinbase Wallet.”

    The email lure is designed to convince recipients that they need to migrate their cryptocurrency wallet to a new one to improve security - often including a deadline to create a sense of urgency. So far, this is typical phishing behavior. But here’s the twist: the emails do not contain any malware, and all links point to the legitimate Coinbase website. There’s no cloned phishing page, no man-in-the-middle proxy. So where’s the threat?

    The trick lies in the second half of the message. There, the attacker instructs the user to use a pre-generated seed phrase to set up their new wallet. These 12 words, in BIP-39 format, are easier to write down than a long hexadecimal passcode. While this makes them user-friendly, they still need to be secured. This seed phrase should always remain private - no one, not even Coinbase, should ever ask for it.

    Blog_coinbase3

    However, not all users are familiar with how seed phrases work. Some might believe that using a provided phrase is part of the upgrade process. But in reality it's similar to a scammer telling someone to create a new email account and use the password "P@ssw0rd!" for better security - giving the attacker full control from the start.

    Anyone who knows the recovery seed phrase can log into the wallet and transfer out any assets. In effect, victims aren’t creating a new wallet - they're restoring an attacker-controlled (and initially empty) one. The attackers monitor these wallets and immediately steal any assets deposited.
    Naturally, the attacker must generate a unique wallet and seed phrase for each victim. Making each email look slightly different. Otherwise, multiple victims would end up sharing the same wallet, making the scam easy to detect.

    These phishing emails are often sent from compromised marketing or CRM accounts using services like Mailchimp, SendGrid, or similar platforms. For example, some early campaigns originated from a hijacked Akamai account. As a result, these emails usually pass SPF, DKIM, and DMARC header checks - making them appear legitimate.

    The target lists were likely sourced from past data breaches. We’ve noticed that only a small selection of our customers were targeted, suggesting the attackers are trying to make their messages more convincing by focusing on likely Coinbase users.

    This scam has become so widespread that Coinbase has started showing warnings when users attempt to recover a wallet using a seed phrase.

    Blog_coinbase1

    Of course, there are visible red flags:

    • The tone of urgency
    • The fact that the sender isn’t a legitimate Coinbase address
    • The pre-generated seed phrase (a practice Coinbase explicitly warns against)

    Some researchers have attributed this campaign to the PoisonSeed group. Also, beware of follow-up scammers. When victims share their experience publicly - on forums or social media - opportunistic fraudsters often reach out, claiming they can help recover the stolen funds for a small advance fee. These are scams on top of scams, preying on already-victimized users.

    This simple case highlights a critical truth: email threat detection must look beyond links and attachments. Many attributes need to be analyzed and considered to determine whether a message is malicious or part of a scam.