The hack of Mandiant’s
“Normally, (two-factor authentication) would have mitigated this, but due to some team moves and a change in X’s two-factor authentication policy, we were not adequately protected,” Threat Intelligence Firm He said In a post shared on X.
The attack, which occurred on January 3, 2023, enabled the threat actor to take control of the company’s X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.
Spammers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from victim wallets after tricking them into approving transactions.
According to the Google-owned subsidiary, multiple threat actors are believed to have used CLINKSINK since December 2023 to steal funds and tokens from Solana (SOL) cryptocurrency users.
As observed in the case of other drainers such as Angel Drainer and Inferno Drainer, affiliates are tied up by DaaS operators to carry out attacks in exchange for a cut (usually 20%) of the stolen assets.
The identified set of activities includes at least 35 affiliate IDs and 42 unique Solana wallet addresses, collectively generating at least $900,000 in illegal profits.
The attack threads involve using social media and chat apps like X and Discord to distribute cryptocurrency-themed phishing pages that encourage targets to link their wallets to demand a bogus token drop.
“After linking their wallet, the victim is then asked to sign a transaction for the exchange service, allowing them to withdraw funds from the victim,” security researchers Zach Riddell, Joe Dobson, Lukas Lambarski, and Stephen Eccles said.
CLINKSINK, a JavaScript scraper, is designed to open a path to target wallets, verify the current balance in the wallet, and ultimately stop the theft after asking the victim to sign a fraudulent transaction. This also means that the attempted robbery will not succeed if the victim declines the transaction.
The drainer has also spawned several variants, including the Chick Drainer (or Rainbow Drainer), raising the possibility that the source code will be available to multiple threat actors, allowing them to launch independent drain campaigns.
“The widespread availability and low cost of many depleters, combined with their relatively high profit potential, likely make them attractive operations for many financially motivated actors,” Mandiant said.
“Given the increase in cryptocurrency values and the lower barrier to entry for drains, we expect financially motivated threat actors with varying levels of sophistication to continue conducting drains for the foreseeable future.”
This development comes amid an increase in attacks targeting legitimate X accounts to spread cryptocurrency-related scams.
Earlier this week, X’s account was linked to the US Securities and Exchange Commission (SEC). to break To falsely claim that the regulatory body approved “the listing and trading of Bitcoin exchange-traded products,” which briefly sent Bitcoin prices soaring.
X since then open The breach was the result of “an unknown person gaining control of a phone number associated with the @SECGov account through a third party,” and two-factor authentication not being enabled on the account.