FIDO (Fast IDentity Online) security keys have earned their reputation as one of the strongest defenses against phishing and account takeover. Built on hardware-backed cryptography, they make it nearly impossible for attackers to steal credentials through traditional means.
But attackers don’t have to break strong security if they can bypass it. That’s exactly what the cybercrime group PoisonSeed has done by turning user behavior and convenience features into the real vulnerability.
PoisonSeed: A Profile in Adaptive Cybercrime
PoisonSeed has made a name for itself by targeting cryptocurrency holders—going after the platforms, wallets, and authentication layers that stand between them and the assets they want to steal.
In the past, PoisonSeed relied on phishing sites to capture usernames, passwords, and even MFA codes. But their latest campaign marks a shift in strategy. Rather than tricking users into giving up credentials, they’re hijacking the authentication process itself, manipulating legitimate login workflows in real time. This allows them to bypass hardened protections like FIDO keys without cracking encryption or breaching systems.
The Attack Explained: Real-Time MFA Hijacking
Here’s how PoisonSeed’s latest attack plays out.
First, the attacker starts a real login session on a legitimate website, often one that supports strong FIDO-based authentication. This triggers the site to display a QR code meant for a trusted secondary device as part of a cross-device sign-in flow.
Next, PoisonSeed mirrors that QR code onto a phishing page. The victim, believing they’re completing a normal multi-factor authentication step, scans the code using their mobile authenticator app.
The scan completes the login session that PoisonSeed initiated. Because the QR code is legitimate and the authentication appears to come from a trusted device, access is granted, no FIDO key required.
“This isn’t a one-off situation,” said J Stephen Kowski, Field CTO at SlashNext. “It’s a real evolution in how attackers are thinking about bypassing strong authentication methods.”
Technical vs. Human Vulnerabilities
To be clear, this isn’t a flaw in FIDO itself. The hardware and cryptography behind FIDO keys remain solid.
What PoisonSeed exploits are the features designed to make security more user-friendly, like cross-device sign-in and QR-based login flows. These tools are meant to simplify authentication across laptops, phones, and tablets. But those conveniences can quickly become liabilities in the hands of an attacker.
This isn’t the first time attackers have taken advantage of such shortcuts. Similar tactics have been used in QR code scams and push notification fatigue attacks, where users are tricked into approving login requests they didn’t initiate. PoisonSeed’s campaign takes this a step further by hijacking the entire flow in real time and turning a legitimate user action into an access point.
Implications for Security Teams
Even the strongest authentication tools can fall short without a layered security strategy. PoisonSeed’s attack shows that hardware-backed MFA like FIDO isn’t a silver bullet.
To reduce exposure, security teams need to focus on the bigger picture. That starts with user education. Employees should be trained to treat unexpected QR code prompts—especially those that appear after entering a password—as red flags, not routine steps.
Technical controls matter too. Disabling cross-device sign-in where possible, requiring Bluetooth proximity checks, and monitoring for unusual device registrations can all help cut off these attack paths before they succeed.
Finally, detection is key. Real-time login flows, particularly those initiated from unfamiliar geographies or outside normal behavior patterns, should trigger alerts. These edge-case attacks are subtle, but with the right analytics in place, they don’t have to slip through.
“Please do not throw the baby out with the bathwater,” said Trey Ford, Chief Information Security Officer at Bugcrowd. “FIDO is a great platform, it's solid, and has done a lot for the technology community in improving security. The hope is that we see additional scrutiny and offensive testing by the research community testing these clever edge cases, further strengthening the resilience of standards and platforms like FIDO... before the attackers do.”
When UX Becomes an Attack Vector
PoisonSeed’s campaign is a reminder that it’s not just about what technology you deploy, it’s about how people use it. Strong tools like FIDO are only as effective as the ecosystem and behavior around them.
That means user education can’t stop at setup. It needs to be ongoing, adaptable, and focused on how attacks actually happen. Because even the best security hardware can’t protect if users are tricked into opening the door.
