PoisonSeed Campaign Reveals Critical Weakness in FIDO Cross-Device Authentication Flows

A sophisticated phishing campaign uncovered by cybersecurity firm Expel in July 2025 has exposed a critical vulnerability in one of the most trusted authentication mechanisms in the cryptocurrency industry. The PoisonSeed threat group demonstrated that FIDO2 hardware security keys, long considered the gold standard for phishing-resistant authentication, can be circumvented through their own cross-device sign-in feature. With Bitcoin trading at $117,947 and the crypto industry managing trillions in assets, this revelation demands immediate attention from every platform that relies on FIDO keys to protect user accounts.

The Exploit Mechanics

The attack leverages FIDO2 cross-device sign-in, a legitimate feature designed to allow users to authenticate on a device that does not have a passkey by scanning a QR code with a second device that holds the cryptographic key. The attack chain begins with a phishing email that directs victims to a fake login page mimicking their enterprise Okta portal. When the victim enters their credentials, the phishing site relays them in real time to the actual login page through an adversary-in-the-middle proxy.

The critical innovation occurs next. The phishing site instructs the legitimate login page to use the hybrid transport method for authentication, which causes the real page to generate a QR code. This QR code is then captured by the phishing site and displayed to the victim. When the user scans the QR code with their authenticator app, the login portal and the MFA authenticator establish communication — and the attackers gain access to the authenticated session.

The technique specifically targets cross-device flows that do not enforce strict proximity checks such as Bluetooth or local device attestation. If a user environment mandates hardware security keys plugged directly into the login device or uses platform-bound authenticators like Face ID tied to the browser context, the attack chain breaks. The vulnerability lies not in a protocol flaw but in the flexible implementation of the hybrid transport method.

However, Expel subsequently retracted key elements of its original findings on July 25, 2025. Upon further analysis of Okta logs, the company discovered that all subsequent multi-factor authentication challenges actually failed and that the attackers were not granted access to the requested resource. The evidence confirmed that the targeted user credentials were phished and that the attacker successfully passed password authentication, but the FIDO protection ultimately held.

Affected Systems

The PoisonSeed campaign is not limited to FIDO authentication attacks. The threat group was previously identified in April 2025 as exploiting compromised credentials associated with customer relationship management tools and bulk email providers to send spam messages containing cryptocurrency seed phrases, designed to drain victims digital wallets. The group has demonstrated a pattern of targeting the cryptocurrency ecosystem through multiple attack vectors simultaneously.

The FIDO cross-device phishing technique affects any organization using FIDO2 authentication with the hybrid transport method enabled. This includes most major cryptocurrency exchanges, institutional custody platforms, and enterprise crypto operations that rely on hardware security keys for privileged access. The attack is particularly concerning because it exploits a feature that many organizations have explicitly enabled to improve user experience — allowing mobile authentication for desktop sessions.

The broader context of July 2025 adds urgency to this finding. The month saw $142 million stolen across 17 crypto-related attacks, with major breaches at CoinDCX ($44.2 million), GMX ($42 million), BigONE ($27 million), and WOO X ($14 million). While these attacks used different vectors, they collectively demonstrate the intensity of threat actor focus on cryptocurrency platforms.

The Mitigation Strategy

Organizations can implement several immediate mitigations to protect against FIDO cross-device phishing. First, enforce device-bound authenticators wherever possible, requiring security keys to be physically connected to the login device rather than allowing cross-device flows. Second, implement transaction confirmation screens on the authenticating device that display contextual information such as the requesting domain, geographic location, and device type — enabling users to detect when they are approving a malicious session.

Security teams should monitor for unusual QR code login patterns, particularly authentications originating from unexpected geographic locations or occurring outside normal business hours. New passkey enrollment events should trigger enhanced verification, as Expel observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through phishing and resetting the user password.

Account recovery processes represent another critical attack surface. If an attacker can bypass authentication during the recovery phase using a phishing-susceptible method, the entire FIDO2 infrastructure becomes irrelevant. Organizations must ensure that every step in the account lifecycle — including recovery — uses phishing-resistant authentication.

Lessons Learned

The PoisonSeed investigation offers several important lessons for the cryptocurrency security community. First, the rapid retraction by Expel demonstrates the importance of thorough log analysis before publishing security findings. Initial reports of a FIDO bypass created unnecessary panic and could have driven organizations toward less secure alternatives. The truth — that FIDO2 with proper implementation successfully blocked the attack — reinforces the value of hardware-based authentication when configured correctly.

Second, the cross-device sign-in feature represents a classic security-usability tradeoff. The convenience of scanning a QR code from a mobile device to authenticate on a desktop is real, but the security implications of enabling this flow must be carefully weighed against the risk of phishing via QR code relay attacks. Organizations managing high-value crypto accounts should default to the most restrictive authentication configuration and enable convenience features only when the risk is explicitly accepted.

Third, defense in depth remains essential. Even with FIDO2 authentication, organizations should implement complementary controls including IP-based access restrictions, device trust policies, behavioral analysis, and mandatory review periods for high-value transactions.

User Action Required

For individual cryptocurrency users, the PoisonSeed campaign reinforces the importance of never scanning QR codes from login pages that you did not directly navigate to. Always verify the URL in your browser address bar before entering any credentials. If you use a hardware security key, prefer direct USB or NFC authentication over cross-device QR code flows. For organizations, review your FIDO2 implementation to ensure that cross-device sign-in is disabled or restricted to specific trusted contexts, and audit your account recovery procedures to eliminate phishing-susceptible steps in the authentication lifecycleSecurity details sourced from The Hacker News and Expel security blog. Price data from CoinMarketCap historical snapshot for July 26, 2025. This article is for informational purposes only and does not constitute financial or investment advice.