How Social Engineering and Subdomain Hijacking Enabled the Grubhub Crypto Scam

Picture this: a seemingly legitimate email from Grubhub lands in your inbox, promising a tenfold return on any Bitcoin you send as part of a festive “Holiday Crypto Promotion.” The catch? The message comes from a real Grubhub subdomain—b.grubhub.com—making it nearly indistinguishable from authentic company communications. This was the reality for many Grubhub merchant partners in December 2025, when cybercriminals orchestrated a sophisticated scam that blended technical subdomain hijacking with classic social engineering tactics. By exploiting trusted communication channels and leveraging psychological triggers like urgency and authority, attackers managed to bypass both automated security filters and human skepticism. The incident not only exposed vulnerabilities in email authentication and third-party access but also underscored the evolving nature of phishing threats in the digital age (BleepingComputer).

How Social Engineering and Subdomain Hijacking Powered the Grubhub Crypto Scam

Exploiting Trust: The Role of Legitimate Subdomains

The effectiveness of the Grubhub crypto scam in December 2025 was significantly amplified by the attackers’ use of legitimate Grubhub subdomains, specifically b.grubhub.com. This subdomain is typically reserved for communications with Grubhub’s merchant partners and restaurants, lending a high degree of credibility to any emails sent from its addresses. The scam emails originated from addresses such as merry-christmast@b.grubhub.com and crypto-promotion@b.grubhub.com, which would pass most authenticity checks and appear trustworthy to recipients (BleepingComputer).

By leveraging a real Grubhub subdomain, attackers bypassed common red flags associated with phishing attempts, such as suspicious sender addresses or mismatched domains. This technique allowed the fraudulent messages to evade both automated email security filters and manual scrutiny by recipients, greatly increasing the likelihood of engagement and subsequent victimization.

Social Engineering Tactics: Psychological Manipulation and Urgency

The scam’s messaging was meticulously crafted to exploit human psychology. The emails promised a tenfold return on any Bitcoin sent to a specified wallet, framing the offer as part of a “Holiday Crypto Promotion” and instilling a sense of urgency by stating, “There are 30 minutes left in our Holiday Crypto Promotion. Grubhub will 10x any Bitcoin sent to this address […]. For example, if you send $1000, we’ll send back $10,000” (BleepingComputer).

This approach relied on several core social engineering principles:

• Scarcity and Time Pressure: The limited-time offer pressured recipients to act quickly, reducing the likelihood of rational scrutiny or verification.
• Authority and Authenticity: The use of a real Grubhub subdomain, along with personalized recipient names, created an aura of legitimacy and authority.
• Reciprocity: The promise of a large reward in exchange for a relatively small action (sending cryptocurrency) appealed to recipients’ desire for gain.

These tactics are hallmarks of successful social engineering campaigns, leveraging emotional responses to override logical decision-making.

Technical Mechanisms: Subdomain Hijacking and Email Authenticity

The technical underpinnings of the scam suggest a likely subdomain hijacking or unauthorized access to Grubhub’s email infrastructure. Some users speculated that a DNS takeover attack may have enabled attackers to send emails that would pass standard authenticity checks, such as SPF, DKIM, and DMARC (BleepingComputer). This method would allow malicious actors to:

• Send emails from legitimate company addresses without raising immediate suspicion.
• Bypass anti-phishing mechanisms that rely on domain reputation and authentication protocols.
• Target specific user groups, such as merchant partners, by exploiting known communication channels.

While Grubhub has not publicly disclosed the precise technical details, the company acknowledged the unauthorized messages and stated that the issue was “immediately investigated, contained, and steps are being taken to ensure it doesn’t happen again.”

Targeted Victim Selection: Merchants and Partners as Primary Targets

Unlike broad phishing campaigns that indiscriminately target the general public, this scam focused on Grubhub’s merchant partners and restaurants. The subdomain b.grubhub.com is specifically designated for business communications, indicating that the attackers either deliberately targeted this group or gained access to a mailing list containing their contact information (BleepingComputer).

This targeted approach increased the scam’s effectiveness for several reasons:

• Higher Trust Levels: Merchants and partners are accustomed to receiving legitimate communications from Grubhub via this subdomain, making them less likely to question the authenticity of the messages.
• Potential for Larger Transactions: Businesses may have greater access to funds and be more likely to participate in high-value promotions.
• Personalization: The inclusion of recipient names in the emails suggests that attackers had access to specific user data, further personalizing the scam and increasing its credibility.

Incident Response and Containment Measures

Upon discovery of the fraudulent campaign, Grubhub’s response included immediate investigation and containment. The company issued a statement confirming awareness of the unauthorized messages and outlined steps being taken to prevent recurrence. These actions likely included:

• Revoking Compromised Credentials: Any access tokens, API keys, or credentials used in the attack would have been invalidated.
• DNS and Email Infrastructure Audits: Comprehensive reviews of DNS settings and email server configurations to identify and remediate vulnerabilities.
• Enhanced Monitoring: Implementation of additional monitoring tools to detect and respond to suspicious activity in real time.
• Merchant and Partner Notification: Direct communication with affected parties to warn them of the scam and provide guidance on avoiding similar attacks in the future.

Grubhub’s swift containment efforts, as reported by BleepingComputer, were aimed at minimizing the impact of the breach and restoring trust among its business partners.

Broader Implications: Security Gaps in Third-Party Access

The incident also highlights broader security challenges associated with third-party service providers. Earlier in the year, Grubhub disclosed that a threat actor had accessed customer, merchant, and driver information through an account used by a third-party support provider (BleepingComputer). This underscores the risks posed by external vendors who may have privileged access to sensitive systems and data.

Key issues include:

• Identity and Access Management (IAM) Weaknesses: Inadequate controls over third-party access can create vulnerabilities that are difficult to monitor and manage.
• Supply Chain Attack Vectors: Attackers may exploit less-secure partners as entry points into more secure organizations.
• Data Exposure: Compromised third-party accounts can lead to large-scale data breaches, enabling targeted social engineering attacks like the Grubhub crypto scam.

Organizations must implement robust IAM strategies, conduct regular security assessments of third-party vendors, and establish clear protocols for incident detection and response.

Lessons Learned: Strengthening Defenses Against Social Engineering and Subdomain Abuse

The Grubhub crypto scam serves as a case study in the convergence of social engineering and technical exploitation. To mitigate similar risks, organizations should consider:

• Regular Subdomain Audits: Frequent reviews of DNS records and subdomain configurations to detect unauthorized changes.
• Advanced Email Authentication: Adoption of strict SPF, DKIM, and DMARC policies to prevent unauthorized use of company domains and subdomains.
• Employee and Partner Training: Ongoing education about the latest social engineering tactics and how to recognize suspicious communications.
• Incident Simulation and Response Drills: Regular testing of incident response plans to ensure rapid detection and containment of breaches.

By addressing both the human and technical elements of such attacks, companies can better protect themselves and their stakeholders from increasingly sophisticated scams.

This report section provides a comprehensive analysis of how social engineering and subdomain hijacking enabled the Grubhub crypto scam, focusing on unique aspects not previously covered in existing subtopic reports. All information is based on the latest available data as of December 26, 2025, and includes direct references to BleepingComputer where appropriate.

Final Thoughts

The Grubhub crypto scam is a textbook example of how cybercriminals are upping their game—combining technical exploits like subdomain hijacking with finely tuned social engineering. The attackers’ ability to mimic legitimate communications and target specific business partners highlights the urgent need for organizations to rethink both their technical defenses and human-centric security training. As companies increasingly rely on third-party vendors and complex digital infrastructures, regular audits, robust authentication protocols, and ongoing education become non-negotiable. Ultimately, the best defense is a blend of vigilance, technology, and a healthy dose of skepticism—because if an offer sounds too good to be true, it probably is (BleepingComputer).

References

• Fake Grubhub emails promise tenfold return on sent cryptocurrency, 2025, BleepingComputer. https://www.bleepingcomputer.com/news/security/fake-grubhub-emails-promise-tenfold-return-on-sent-cryptocurrency/