Last week, Mandiant’s X (formerly Twitter) account was compromised due to a brute-force password attack. The hack was attributed to a drainer-as-a-service (DaaS) group, and it was revealed that the account did not have adequate protection due to changes in the company’s two-factor authentication policy. The attack allowed the threat actor to take control of the account and distribute links to a phishing page hosting a cryptocurrency drainer called CLINKSINK.
CLINKSINK has been used by multiple threat actors since December 2023 to steal funds and tokens from Solana cryptocurrency users. Affiliates are recruited by the DaaS operators to conduct the attacks, receiving a cut of the stolen assets. The activity cluster involved at least 35 affiliate IDs and 42 unique Solana wallet addresses, resulting in illegal profits of at least $900,000.
The attack involves the use of social media and chat applications to distribute cryptocurrency-themed phishing pages, enticing victims to connect their wallets to claim a fake token airdrop. Once the victim connects their wallet, they are prompted to sign a transaction that allows the drainer service to steal funds. The CLINKSINK drainer is designed to check the wallet balance and execute the theft after obtaining the victim’s fraudulent transaction signature.
The availability and low cost of drainers, combined with the potential for profit, make them attractive to financially motivated threat actors. Mandiant anticipates that these drainer operations will continue in the future due to the increasing value of cryptocurrency and the ease of entry into these operations. This incident follows a trend of attacks targeting legitimate Twitter accounts to spread cryptocurrency scams.
In a separate incident, the U.S. Securities and Exchange Commission’s (SEC) X account was breached, falsely claiming the approval of bitcoin exchange-traded products. This caused a brief spike in bitcoin prices. The hack was a result of an unidentified individual gaining control over a phone number associated with the account. The account did not have two-factor authentication enabled.