Customers of upscale department store chain Nordstrom received fraudulent messages from a legitimate company email address that promoted cryptocurrency scams disguised as a St. Patrick’s Day promotion.
The emails promise recipients to double the cryptocurrency amount deposited to a specific wallet address over the next two hours.
“Send cryptocurrency to any of your unique deposit addresses below, and we’ll send you right back 200% of the amount you sent,” reads the fraudulent message.
Multiple customers reported on social media [1, 2] that they received such emails. Some said that the message arrived to an address that had never been exposed or leaked online.
By giving recipients only two hours to take action, the threat actor creates a sense of urgency that makes it more likely for Nordstrom customers to rush into the “deal” and fail to notice the signs of a scam, such as the incorrect spelling of the company in the heading, which reads “Normstorm.”
Source: X
However, any signs of deception could easily be ignored because the emails came from nordstrom@eml.nordstrom.com, an official address the company uses for sending marketing, sales, and promotional communication, indicating a security breach.
Nordstrom did not respond to BleepingComputer’s request for comments on the matter, but customers reported that the company sent out a warning email urging members to disregard the previous message, which was “unauthorized.”
“Nordstrom will never ask customers to transact or otherwise transfer funds using cryptocurrency,” warned the firm in its message to customers. “We are taking immediate action to investigate and address the issue,” the department store said.
Source: X
Nordstrom is a large fashion retailer in the U.S., selling clothing, shoes, beauty products, and accessories through physical department stores and online shops.
Founded in 1901, the company has millions of customers, employs 55,000 people, and has an annual revenue of over $15 billion.
It’s unclear if the unauthorized message reached the entire registered customer base of Nordstrom, but some recipients have already sent payments to the fraudster’s wallet address.
A source familiar with the incident told BleepingComputer that the security breach occurred via an Okta SSO > Salesforce compromise, and the scam emails were then sent to customers through Salesforce Experience Cloud.
Although BleepingComputer couldn’t confirm, this incident is similar to recent attacks on Betterment and GrubHub that also pushed crypto scams.
Nordstrom customers are advised to ignore the promotion message and not send any money or disclose sensitive data.
Suspicious content should be treated with caution, even when it comes from a trusted sender address, and any promotions should be verified by visiting the firm’s official website, communication channels, and social media profiles.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Related Articles:
Fugitive behind $73M ‘pig butchering’ scheme gets 20 years in prison
CTM360 Report Warns of Global Surge in Fake High-Yield Investment Scams
Cloud storage payment scam floods inboxes with fake renewals
Crypto wallets received a record $158 billion in illicit funds last year
New BeatBanker Android malware poses as Starlink app to hijack devices