Cybersecurity Weekly: The Rising Threats of PoisonSeed Phishing, North Korean HR Scams, and Major Darknet Busts

Here’s the translated and rephrased text:

We’ve compiled the most significant cybersecurity news from the past week.

Analysts at SilentPush have identified a phishing campaign named PoisonSeed, which sends out emails containing seed phrases aimed at stealing cryptocurrency.

Initially, the attackers create counterfeit pages for well-known email marketing platforms, including Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho. Using these fake pages, they compromise corporate email accounts belonging to various marketers and send spam from these accounts. The hackers are particularly targeting clients of the Coinbase exchange and owners of Ledger hardware wallets.

The emails typically convey an urgent message, such as «Coinbase is transitioning to self-custody wallets,» and include a seed phrase. Victims are encouraged to enter this phrase when creating a new crypto wallet, supposedly for a «secure asset transfer» as part of an update or migration.

If the victim follows these instructions, the attacker gains complete access to their funds.

**North Korean Hackers Posing as HR Managers of Major Crypto Exchanges**

Sekoia experts have pointed out a new tactic called ClickFix that the North Korean hacking group Lazarus Group is using to target job seekers in AI and cryptocurrency sectors.

Targets receive fake interview invitations from bogus websites. When users navigate to these sites and view the content, they encounter errors. The page prompts them to «fix» the problem by executing PowerShell commands that download malware.

During this campaign, hackers impersonate well-known crypto projects, including Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit.

In addition to stealing cryptocurrencies, the malware can perform file operations, execute shell commands, steal cookies, browsing history, and saved passwords, as well as collect system metadata.

A member of the hacking group SiegedSec, which is responsible for the breach of the NATO portal, the Heritage Foundation, and a nuclear lab in Idaho, suggested that the FBI searched the home of their leader, known as «vio,» and arrested her. This information was reported by Daily Dot, referencing a tweet from March 26.

«I’m sorry to inform you that vio’s location was raided this morning. She is no longer available, and there is no contact with her, making [communication from her] unreliable,» tweeted a user under the handle mewmrrpmeow.

The next day, a new post noted that «the silence surrounding the SiegedSec case is concerning.»

Details about the situation are scarce. SiegedSec disbanded in July 2024 after leaders from the Heritage Foundation warned that information about the hackers had been passed to the FBI. However, the agency has not publicly stated that it is conducting an investigation or filing any charges.

German law enforcement, in collaboration with Dutch authorities, has shut down one of the largest darknet platforms for distributing child sexual abuse materials (CSAM) known as Kidflix. The operation started in 2022 and was concluded on March 11, 2025, but details have only just been made public.

During the course of the operation, 79 individuals were arrested, the identities of 1,393 suspects were established, and over 3,000 electronic devices were seized. Additionally, the website’s server was confiscated.

Since its launch in 2021, Kidflix hosted over 91,000 unique videos exceeding a total duration of 6,288 hours. The user count surpassed 1.8 million individuals, who paid for accessing content using cryptocurrencies and could earn internal tokens for their activity.

Case materials have been referred to investigative authorities in 35 countries for further action against the suspects.

Paradigm has released a comprehensive report detailing North Korean cybercriminal groups responsible for attacks on organizations and individuals worldwide.

Alongside the most notorious Lazarus Group, experts discussed Contagious Interview and Wagemole, which operate recruitment schemes to steal a wide range of data, including cryptocurrencies.

AppleJeus spreads malware disguised as trading applications and crypto utilities, while Dangerous Password utilizes social engineering tactics to target digital asset holders.

The most sophisticated group has been identified as TraderTraitor, which selects victims from Bitcoin exchanges and major related companies, exploiting high-tech targeted phishing methods to breach their defenses.

On April 4, U.S. President Donald Trump extended by 75 days the deadline for TikTok’s parent company, ByteDance, to sell its American assets to avoid a ban. The President expressed hopes for continued «good-faith cooperation with China.»

According to Reuters sources, the Chinese side suspended the deal after implementing a 54% tariff on their goods imported to the U.S.