The holiday season is a time when consumer engagement is at its peak and digital transactions are in the ascendant. However, a wave of misleading communication has been plaguing Grubhub's user community in recent weeks.
There has been an increase in the number of users of Grubhub's online food delivery platform that has been targeted by a coordinated email scam designed to mimic Grubhub's infrastructure in order to cultivate trust among its customers.
It was falsely framed as part of a holiday crypto promotion. It used the authentic-sounding subdomain b.grubhub.com. The emails were derived from addresses typically associated with the company’s merchant partner outreach, appearing to have originated from those addresses.
The verified communications team at Grubhub uses a similar domain when communicating with restaurants and commercial partners, giving legitimacy to what has really been a malicious impersonation campaign in reality.
A fraud email was sent to users that asked them to transfer Bitcoins to external wallets and promised a tenfold return within minutes.
A widely circulated message claimed that there were only 30 minutes left in this promotion, asserting that any Bitcoin that was sent would be multiplied tenfold. This illustrates how the scam relies heavily on urgency and unrealistic financial incentives in order to convince victims.
In multiple reports, it is revealed that these emails were being dispatched from counterfeit email addresses resembling merchant support channels, including Grubhubforrestaurants and other restaurant-specific sender tags, for example. This scam, which has been active since December 24, displays a high level of personalization, as recipient names are embedded directly in the email's body and delivery metadata, which indicates structured data harvesting or prior exposure to breaches.
Throughout the cryptocurrency fraud landscape, social engineering attacks have grown increasingly sophisticated, according to a study conducted by the University of Surrey. These attacks are raising renewed concerns about the misuse of digital trust and brand-based impersonation, and the exploitation of corporate identity, among other things.
It has been reported that recipients have received scam emails, titled merry-christmas-promotion and crypto-promotion, starting on December 24. The emails were both deceptively appended to the b.grubhub.com subdomain and embedded with their full names, along with their e-mail addresses, and contained personal identifiers such as their full names.
It is without a doubt that this scam is one of the most textbook examples of high yield cryptocurrency reward scams, as it relies on psychological mechanics like trust, financial aspirations, and manufactured urgency so that it can deliver high returns with minimal investment. It is apparent from the attackers' narrative that they promised exponential returns on Bitcoin transfers, which is consistent with cryptocurrency fraud models that use implausible incentives to overcome skepticism.
According to some users and independent researchers, this breach could have been caused by a DNS takeover, a situation where forged emails would have passed through normal authentication checks. However, Grubhub has not yet officially confirmed any of these claims, nor has it provided any technical information regarding the breach.
BleepingComputer was informed by the company that the issue was identified within its merchant partner communications channels, and was promptly isolated from the issue, and that a full investigation is underway in order to prevent it from recurring in the future. A spokesperson from the platform also stated that containment measures were immediately implemented, suggesting that the platform does not view the incident as a routine spam attack, but rather as an attack on targeted integrity.
Additionally, the company also discussed Grubhub's disclosure earlier this year during the event. The Grubhub company reported at that time that a threat actor had accessed a large volume of contact information of customers, merchants, and delivery drivers - providing contact information, but not payment credentials - resulting in the discovery of the threat actor's access to the servers of the company as a result.
Even though the January breach is not related in structure in any way, experts note that previously exposed identity datasets are often resurfaced as raw material in impersonation campaigns a decade or two later, providing attackers with the level of personalization needed to appear credible and targeted to consumers.
There has been an escalation in digital fraud during high-traffic holiday periods, according to law enforcement agencies, a trend highlighted in a recent public advisory from the Federal Bureau of Investigation which cautioned consumers against the seasonal cycle of scams. According to the bureau, attackers deliberately increase their activities at times of high demand for discounts, limited-time offers, and fast money gains, deploying schemes that are based on expectations and urgency.
According to the FBI, non-payment scams and non-delivery scams were among the most frequently reported tactics in 2024, with victims misled into paying for goods or services that never materialized. There have been significant financial impacts on the financial system resulting from these frauds.
The FBI estimates that in 2024 alone, these frauds alone will account for more than $785 million in losses to users, while credit card frauds will contribute an additional $199 million. This reinforces the persistence of the profitability of financial crime driven by impersonation.
Additionally, investigators highlighted that phishing environments have evolved beyond traditional credential theft, and increasingly target passwords to cryptocurrency exchanges and accesses to digital wallets, where a single compromised account could allow the liquidation and transfer of assets immediately.
A recent FBI advisory has advised users to be cautious when clicking on unsolicited links. Authorities are warning that malicious landing pages are routinely being used to collect crypto-platform authentication details, such as multi-factor authentication codes, for the purpose of diversion of funds that may not be recoverable.
Researchers have drawn parallels between the ongoing Grubhub campaign and the more widespread crypto-doubling scam, a type of social engineering scam that engages in recognizable branding, individualized targeting, and a countdown-style deadline as a means to feign legitimacy and to eliminate suspicion.
In an effort to combat fraud, industry experts and national agencies have repeatedly said that communications that include verified-looking domain names, time-sensitive ultimatums, or requests for transfers to external wallets have been identified as some of the most obvious behavioral indicators.
In both Grubhub's guidance as well as from federal authorities, it is stressed that independent verification through official channels is a key component of ensuring authenticity, especially when messages are individually addressed. However, personalization no longer stands as a reliable sign of authenticity, but is often a sign that prior personal data exposure has been weaponized in order to enhance credibility.
There are many ramifications of the phishing campaign that go far beyond the theft of isolated amounts of money. They prompt a broader discussion of digital trust, corporate identity, and the fragility of brand credibility in an increasingly weaponized online environment.
Although users who have been affected by this crypto-crisis are at direct risk of losing cryptocurrencies, Grubhub itself faces an equally troubling threat - the erosion of public confidence - which is not a case of an actual breach of security, but rather a perception of one.
As industry observers and researchers have noted for years, modern phishing operations are no longer dependent solely on technical intrusion; their success depends equally on psychological authenticity, which means familiar email formats, harvesting personal identifiers, and brand-aligned subdomains can alter the perception of phishing operations.
It has been emphasized that this incident has raised concerns about how cybercriminals are reusing previously disclosed identity datasets, which they routinely repurpose to personalize fraudulent outreach on a large scale, giving phishing mail the appearance of one-on-one legitimacy. Security commentators have warned that such events can create lasting doubt among consumers who may be unable to distinguish a genuine system lapse from a forged communication.
However, even if the corporate infrastructure remains intact, consumers may have difficulty distinguishing between a genuine system lapse, since their perception may be frightful.
Additionally, the situation has also highlighted the growing gap between user preparedness and law enforcement agency preparedness, with cyber security experts emphasizing that the importance of phishing literacy is as crucial as the importance of a good password hygiene regimen.
The following precautions are recommended: Verifying unexpected financial or promotional claims through company channels rather than embedded links, strengthening account defenses with unique, high-entropy passwords, and enabling multi-factor authentication as soon as possible, especially in cryptocurrency exchange accounts, where credential theft can result in a quick, irreversible transfer of funds.
It has been reported that the campaign is part of a larger pattern of crypto-doubling social engineering fraud, which is a scam archetype that has been around for quite some time due to its perfect combination of technological deception with the strength of the promise of a big payday.
In light of the incident, the delivery platforms and digital marketplaces have been urged to intensify customer education initiatives, including technical monitoring as well as public awareness outreach, since the most effective defense against impersonation-driven fraud lies not only in one strategy, but in a combination of infrastructure resilience, informed skepticism, and a robust defensive strategy.
