- Trending
- Comments
- Latest
Scammers exploited GrubHub’s legitimate email infrastructure to target merchants with fake cryptocurrency promotions promising tenfold returns on Bitcoin, using addresses linked to the company’s official b.grubhub.com subdomain in what security experts describe as a sophisticated phishing campaign.
The fraudulent emails, which appeared to come from addresses including merry-christmas@b.grubhub.com and crypto-promotion@b.grubhub.com, told recipients they could receive $10,000 back for every $1,000 in Bitcoin sent to a specified wallet.
GrubHub confirmed it has contained the issue but did not disclose whether its email systems were compromised.
What makes the GrubHub email scam especially dangerous is how convincing it appears.
The emails originate from addresses linked to the legitimate b.grubhub.com subdomain, which GrubHub uses to communicate with merchant partners and restaurants.
Some of the fraudulent emails were sent from addresses such as merry-christmas@b.grubhub.com and crypto-promotion@b.grubhub.com, adding a troubling layer of authenticity.
Even more alarming, the messages included recipients’ real names, increasing the likelihood that users would trust the offer.
If you send $1,000, we’ll send back $10,000, one fraudulent message read—an unmistakable red flag common in crypto giveaway scams.
At its core, the GrubHub email scam is a fake crypto reward campaign. Scammers lure victims into sending Bitcoin or other digital assets to wallets under their control, promising inflated returns that never materialize.
Cybersecurity experts note that similar scams have circulated for years, often impersonating celebrities, crypto exchanges, or major brands.
Any offer guaranteeing returns—especially tenfold returns—is a scam, warns blockchain security analyst Jake Moore of ESET. Once crypto is sent, it’s virtually impossible to recover.
The appearance of legitimate email infrastructure sparked speculation about a possible DNS takeover or email system compromise.
Such an attack could allow scammers to send emails that pass standard authentication checks.
In response to the GrubHub email scam, the company acknowledged the issue but downplayed its scope.
We’re aware of unauthorized messages that appear to have been sent by Grubhub to some of our merchant partners, a Grubhub spokesperson said.
We immediately investigated, contained the issue, and are taking steps to ensure it doesn’t happen again.
The company described the incident as isolated and did not disclose further technical details.
The GrubHub email scam comes months after the company confirmed a separate security incident earlier this year.
Grubhub revealed that a hacker accessed a third-party support account, exposing names, email addresses, and phone numbers of customers, drivers, and merchants.
While Grubhub has not confirmed a direct link between the two events, cybersecurity experts say leaked data often fuels phishing campaigns.
“Even limited access can give attackers enough information to craft highly targeted scams,” Moore explained.
Federal authorities have repeatedly warned about scams surging during holiday periods. The FBI recently cautioned consumers that fraudsters exploit seasonal promotions and gift-buying urgency.
According to the FBI’s Internet Crime Complaint Center (IC3), Americans lost over $785 million to non-payment and non-delivery scams in 2024 alone, while credit card fraud accounted for an additional $199 million in losses.
The agency stressed that phishing emails—like those used in the GrubHub email scam—are among the most common entry points for financial theft and crypto wallet compromise.
Security experts urge users to remain skeptical of any unsolicited crypto offers. The FBI advises consumers to avoid clicking on suspicious links, never send cryptocurrency to unknown wallets, and verify promotions directly through official company channels.
Legitimate companies do not ask users to send crypto in exchange for rewards, the FBI reiterated in a recent advisory.
As crypto adoption grows, scams like the GrubHub email scam serve as a stark reminder: if an offer sounds too good to be true, it almost certainly is.
