Scoutinternal

Unsolicited Cybersecurity Marketing Emails and Spam Reaching BitGo Support Inbox

Unsolicited Cybersecurity Marketing Emails and Spam Reaching BitGo Support Inbox

Problem

The BitGo support inbox (support@bitgo.com) receives a high volume of unsolicited third-party marketing emails related to cybersecurity topics — including webinar invitations, threat intelligence newsletters, dark web monitoring promotions, ransomware training offers, and vendor sales pitches from companies such as SOCRadar, KnowBe4, Coinfirm, SANS Institute, Veza, TechCrunch, and others. These emails are not customer support requests and do not require technical troubleshooting. Occasionally, the cluster also captures misdirected messages such as job applications and general security questions from actual BitGo customers.

Diagnostics

  • Check the sender domain: Determine whether the email originates from a known marketing sender (e.g., no-reply@socradar.com, Coinfirm, KnowBe4, Veza, SANS, TechCrunch, Adventus, Meta Guards, QY Research, BrandCat/007domains) rather than an actual BitGo customer.
  • Check the ticket body for marketing indicators: Look for webinar registration links, newsletter formatting, promotional language ("Save My Seat," "Reserve Your Spot Now," "FREE for the first 99 participants"), unsubscribe links, or vendor product pitches.
  • Check whether the email was addressed to a specific BitGo employee (e.g., nandish@bitgo.com, kyle@bitgo.com, support@bitgo.com directly) rather than originating from a customer with an active BitGo account.
  • Check for legitimate customer requests buried in this cluster: A small number of tickets involve actual customers asking about account security enhancements (AI impersonation concerns), FTX settlement account setup difficulties, or job/internship inquiries. These require different handling.
  • For actual customer tickets: Verify the customer's enterprise/account in Salesforce (Bento) and check account status, KYC verification, and custody agreement signing status.

Resolution

Scenario: threat-socradar-dark-cybersecurity#unsolicited-marketing-spam

Trigger: The ticket is an unsolicited marketing email from a third-party cybersecurity vendor (SOCRadar, KnowBe4, Coinfirm, SANS, Veza, TechCrunch, Adventus, QY Research, BrandCat, etc.) and contains no customer support request.

Signals: SOCRadar, webinar, dark web, ransomware, threat intelligence, newsletter, cybersecurity training, Save My Seat, Reserve Your Spot, unsubscribe, Coinfirm, KnowBe4, SANS, Veza, TechCrunch, BrandCat, 007domains, no-reply, marketing email

Steps:

  1. Confirm the email is marketing/spam by reviewing the sender, subject, and body for promotional content, webinar links, or vendor sales pitches.
  2. Do not reply to the sender.
  3. Close the ticket without further action. No customer resolution is required.
  4. If the same sender repeatedly creates tickets, consider flagging to the internal IT or email administration team so spam filters can be updated to prevent these from generating Salesforce cases.

Notes: The vast majority of tickets in this cluster (approximately 40+ of the 50 samples) are pure marketing spam. They were auto-ingested into the ticketing system because they were sent to support@bitgo.com or to individual BitGo employee addresses that route into the support queue. No customer action or response is needed.

Scenario: threat-socradar-dark-cybersecurity#customer-account-security-concern

Trigger: An actual BitGo customer contacts support asking how to strengthen account security against AI impersonation or other emerging threats.

Signals: AI impersonation, added security, account security, impersonation risk, wallet policies, verification

Steps:

  1. Acknowledge the customer's concern about impersonation and emerging threats.
  2. Recommend configuring wallet policies that require additional verification for sensitive actions such as withdrawals, including policies that require live verification with the BitGo team before a transaction can be approved.
  3. Advise the customer to review and enforce strong internal controls: limit admin access, set appropriate approval thresholds, and regularly review wallet policies and user permissions.
  4. Explain that any scheduled video call conducted by BitGo Support with clients is manually assessed and validated by two teams (Support and Trust) before any request is approved, and that video call recordings are manually checked thoroughly.
  5. Let the customer know they can reach out for further assistance.

Notes: BitGo Support will never ask for passwords, API tokens, or keycard documents. Remind the customer of this if appropriate.

"To reduce the risk of impersonation and strengthen account security, we recommend configuring wallet policies that require additional verification for sensitive actions such as withdrawals. You could enable policies that requires live verification with our team before a transaction can be approved." "We acknowledge your concern about such risk, but here in BitGo any scheduled video call conducted by our Support team with clients are manually assess and validated by 2 teams before any request are approved. This video call recording are manually check thoroughly by both Support and Trust team."

Scenario: threat-socradar-dark-cybersecurity#ftx-customer-setup-confusion

Trigger: A customer is confused about setting up their BitGo-FTX account, experiencing IP authorization issues, or unsure about custody agreement requirements.

Signals: FTX, class action, settlement, IP address, custody agreements, confused, not tech savvy, Authorize IP address

Steps:

  1. Verify the customer's BitGo-FTX account status in Salesforce — confirm whether KYC is verified and whether Custody Agreements have been signed.
  2. If the customer reports an IP address-related message during login, instruct them to look for the email with subject line "Action Required: Authorize BitGo Login from" and click the "Authorize IP address" button in that email.
  3. Once logged in, instruct the customer to sign the Custody Agreements.
  4. After signing, instruct the customer to click on the "Trade" button to activate their Go Account Wallet.
  5. Direct the customer to the FTX FAQ page for additional context: https://www.bitgo.com/ftx-faq
  6. If the customer continues to have difficulty, offer further hands-on assistance.

Notes: Some customers in this cluster are not technically experienced and may need patient, step-by-step guidance. This scenario applies specifically to FTX settlement creditors, not general BitGo enterprise clients.

"I have been able to review your account and I confirm that the account BitGo-FTX account is active and KYC verified. However, we noticed that you have not yet signed the Custody Agreements." "you will need to click on 'Authorize IP address' button in the email that you would have received with subject line 'Action Required: Authorize BitGo Login from'. Once you are able to login to your account, please complete the following steps: Sign the Custody Agreements. Once signed, click on the Trade button to activate your Go Account Wallet."

Scenario: threat-socradar-dark-cybersecurity#misdirected-job-application

Trigger: The ticket is a job or internship application sent to support@bitgo.com instead of through proper HR channels.

Signals: internship, apprenticeship, cybersecurity, volunteer, resume, HR team, job application

Steps:

  1. Reply to the applicant directing them to the BitGo careers page: https://www.bitgo.com/company/careers
  2. Note that support@bitgo.com is not the appropriate channel for job-related inquiries.
  3. Optionally, forward the email internally to HR for awareness.
  4. Close the ticket.

Notes: Do not process job applications through the support queue. The careers page is the only proper avenue.

"Please refer to our careers page here - https://www.bitgo.com/company/careers and note that this is the only avenue to reach our HR team. And please do not send job related enquiry to this email meant for support issues only."

Related

  • ftx-settlement-account-setup — FTX creditor account setup, IP authorization, and custody agreement signing issues
  • wallet-policy-configuration — Configuring wallet policies for additional withdrawal verification and approval thresholds
  • none identified for the spam/marketing sub-topic; this is a queue hygiene issue rather than a product support topic