Grubhub’s legitimate subdomain used to send fake emails promising 10x Bitcoin returns. Learn how this sophisticated scam works and how to stay safe.

Continue reading
A sophisticated phishing campaign has compromised Grubhub's legitimate `b.grubhub.com` subdomain, distributing fraudulent emails that promise a tenfold cryptocurrency return to recipients. These messages, appearing from addresses like `[email protected]`, exploit legitimate infrastructure to bypass standard email authentication checks, marking a significant escalation in brand impersonation attacks. This incident follows Grubhub's earlier 2025 data breach involving third-party access, highlighting persistent third-party security vulnerabilities within the food delivery giant's ecosystem.
The attackers leveraged Grubhub's legitimate `b.grubhub.com` subdomain—normally used for authentic business communications with merchant partners—to distribute fraudulent promotional messages. This approach represents a significant evolution beyond traditional spoofing techniques, as emails originating from legitimate organizational subdomains typically pass standard SPF, DKIM, and DMARC authentication checks, making them far more convincing to recipients and security filters alike.
While some security researchers initially speculated about a potential DNS takeover attack—where attackers gain control of DNS records to redirect traffic and emails—Grubhub's official statement indicates they've "isolated the problem" without confirming the specific attack vector. The fraudulent messages contained personalized recipient names, suggesting possible integration with previously compromised data, potentially connected to Grubhub's earlier 2025 breach involving third-party access to customer and merchant information.
The phishing emails employed a classic yet effective crypto reward scam structure with heightened urgency:
This combination of technical legitimacy (coming from a verified subdomain) and psychological manipulation (urgency and extravagant returns) created a potent threat vector particularly effective against merchant partners familiar with legitimate communications from the same domain.
This incident illustrates a dangerous trend in modern phishing campaigns: attackers are increasingly targeting legitimate subdomains and infrastructure rather than merely impersonating brands through lookalike domains. When attackers successfully compromise or exploit legitimate organizational assets, they effectively co-opt the brand's established trust with its partners and customers, rendering traditional domain-based warning systems less effective.
For cybersecurity professionals, the Grubhub case demonstrates that domain authentication protocols alone provide insufficient protection when attackers gain any level of legitimate access to communication systems. This creates a challenging defensive landscape where organizations must secure not just their primary domains but all subdomains and third-party integrations with equal rigor.
Grubhub's statement that they've "contained the issue" without detailing the root cause raises important questions about third-party security accountability. The company's earlier 2025 breach occurred "from an account used by a third-party to provide support services," suggesting potential systemic vulnerabilities in partner access management.
This pattern indicates possible Identity and Access Management (IAM) deficiencies, where excessive permissions or inadequate monitoring of third-party access creates exploitable attack surfaces. The food delivery industry's complex ecosystem of restaurant partners, drivers, payment processors, and support services creates an expanded threat landscape with multiple potential entry points for determined attackers.
The Grubhub cryptocurrency phishing campaign represents a disturbing evolution in social engineering attacks, where technical sophistication (exploiting legitimate infrastructure) enhances psychological manipulation (holiday-themed urgency with extravagant promises). As organizations increasingly rely on complex digital ecosystems with multiple third-party integrations, the attack surface for such compromises grows proportionally.
Moving forward, organizations must adopt a zero-trust approach to all communication channels, verifying not just external emails but also monitoring outbound communications from their own systems. The convergence of compromised data (from previous breaches) and compromised infrastructure (like legitimate subdomains) creates uniquely persuasive phishing lures that demand equally sophisticated, multi-layered defensive strategies combining technical controls with continuous security awareness education.

A security researcher demonstrated how three patched OpenClaw vulnerabilities can be chained from a WhatsApp message to achieve credential theft, sandbox escape, and host-level code execution, exposing architectural risks in AI agents.