Customers of upscale department store chain Nordstrom received fraudulent messages from a legitimate company email address that promoted cryptocurrency scams disguised as a St. Patrick’s Day promotion.

The emails promise recipients to double the cryptocurrency amount deposited to a specific wallet address over the next two hours.

"Send cryptocurrency to any of your unique deposit addresses below, and we'll send you right back 200% of the amount you sent," reads the fraudulent message.

Multiple customers reported on social media [1, 2] that they received such emails. Some said that the message arrived to an address that had never been exposed or leaked online.

By giving recipients only two hours to take action, the threat actor creates a sense of urgency that makes it more likely for Nordstrom customers to rush into the "deal" and fail to notice the signs of a scam, such as the incorrect spelling of the company in the heading, which reads “Normstorm.”

However, any signs of deception could easily be ignored because the emails came from [email protected], an official address the company uses for sending marketing, sales, and promotional communication, indicating a security breach.

Nordstrom did not respond to BleepingComputer’s request for comments on the matter, but customers reported that the company sent out a warning email urging members to disregard the previous message, which was “unauthorized.”

“Nordstrom will never ask customers to transact or otherwise transfer funds using cryptocurrency,” warned the firm in its message to customers. “We are taking immediate action to investigate and address the issue,” the department store said.

Nordstrom is a large fashion retailer in the U.S., selling clothing, shoes, beauty products, and accessories through physical department stores and online shops.

Founded in 1901, the company has millions of customers, employs 55,000 people, and has an annual revenue of over $15 billion.

It’s unclear if the unauthorized message reached the entire registered customer base of Nordstrom, but some recipients have already sent payments to the fraudster's wallet address.

The wallets used in the crypto scam shows that the threat actor received a little over $5,600 in cryptocurrency since the emails were sent.

A source familiar with the incident told BleepingComputer that the security breach occurred via an Okta SSO > Salesforce compromise, and the scam emails were then sent to customers through Salesforce Marketing Cloud.

Although BleepingComputer couldn't confirm, this incident is similar to recent attacks on Betterment and GrubHub that also pushed crypto scams.

Nordstrom customers are advised to ignore the promotion message and not send any money or disclose sensitive data.

Suspicious content should be treated with caution, even when it comes from a trusted sender address, and any promotions should be verified by visiting the firm’s official website, communication channels, and social media profiles.\

Update 3/18/26: Article updated to correct Salesforce Experience Cloud to Salesforce Marketing Cloud.