Hacker working on crypto scam

Nordstrom Email System Hijacked to Push a Crypto Scam

Fraudsters used Nordstrom’s official email system to promote a crypto scam targeting the department store’s customers, promising huge returns if they acted quickly.

Seattle, Washington-based Nordstrom is an American upmarket department store chain that sells a wide range of products, including clothing, shoes, jewelry, accessories, cosmetics, and fragrances. It employs over 55,000 people across more than 386 locations and reports annual revenue of over $15 billion.

While Nordstrom warned customers about the fraudulent email messages after learning of the breach, several customers fell for the scam and sent thousands of dollars.

Crypto scam originated from the official Nordstrom email system

The fraudsters instructed customers to send any amount of crypto within 2 hours to threat-actor-controlled wallet addresses, and the funds would be doubled as a St. Patrick’s Day giveaway. The short window of opportunity was intended to create a sense of urgency, to trick victims to act without due diligence.

“To celebrate St. Patrick’s Day, Nordstrom is giving back! For the next 2 hours only, we’ll double your cryptocurrency! Send cryptocurrency to any of your unique deposit addresses below, and we’ll send you right back 200% of the amount you sent,” the email read.

“For example, if you send $2500, we’ll send you right back $5000 to your sending address,” it further explained.

Nordstrom uses the compromised email system nordstrom@eml.nordstrom.com for official communication, sales, marketing, and promotions, suggesting a potential breach.

Because it originated from the official email system, the crypto scam message bypassed traditional spam filters and landed in customers’ inboxes. Nevertheless, it had the telltale signs of a spam email, including a misspelling of the company name in the subject line, which was spelled as “Normstrom.” However, the fear of missing out (FOMO) could easily have prevented victims from noticing the subtle mistake.

“Organizations must treat outbound communication systems as high-risk attack surfaces, while consumers need to remember that even ‘legitimate’ emails can be weaponized especially when they involve cryptocurrency payments,” said Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense. “If an offer sounds too good to be true it probably is and no information should be provided unless the offer can be verified through other means with an organization.”

When Nordstrom learned of the incident, it sent a follow-up message warning its customers to disregard the unauthorized communication. The company also clarified that it would never request customers to transfer cryptocurrency and that an investigation was underway to determine the cause of the incident.

So far, it remains unclear whether the message specifically targeted Nordstrom customers or was a spray-and-pray attack. Nordstrom has over 33 million active customers, thus becoming a lucrative hunting ground for cybercriminals.

However, Nordstrom has not disclosed how the attackers infiltrated its email system. However, some security experts believe that it stemmed from the compromise of Nordstrom’s Okta Salesforce environment. Other companies impacted by the Okta and Salesforce data breaches have witnessed similar incidents, suggesting that it was not an isolated incident.

Meanwhile, this is hardly the first time Nordstrom has experienced a data breach. In 2018, the company exposed sensitive employee information, including their names, dates of birth, Social Security Numbers, salaries, and checking account and routing numbers.

Similar crypto scams witnessed in the past

A similar crypto scam targeted Betterment customers following the January social engineering attack by the ShinyHunters ransomware group. While Betterment did not say whether its email system was compromised, it admitted that the crypto scam messages appeared to originate from its systems. Additionally, the investment platform disclosed that the data breach stemmed from a third-party marketing platform.

In December 2025, fraudsters also targeted Grubhub customers with crypto scam messages promising “10x your Bitcoin” if they sent funds to attacker-controlled addresses. The fraudulent messages originated from an email system merry-christmass@b.grubhub.com hosted on the official subdomain used for regular communication. According to social media reports, the Grubhub crypto scam earned the fraudsters over $4,000.