On January 3, 2024 [7], Mandiant [1] [2] [3] [4] [5] [6] [7], a subsidiary of Google Cloud [7], experienced a cyber attack on its X social media account. The attack, known as “ClinkSink,” was carried out using a brute-force method to gain access to the account. This incident is part of a series of X account hijackings that have affected well-known organizations [4], including the US Securities and Exchange Commission [4] [5].
Description
The attacker used the compromised account to distribute links to a phishing webpage that mimicked a legitimate X login portal [3]. Unsuspecting users who entered their credentials on the phishing page were redirected to a hidden page that stole their cryptocurrency funds [3]. Mandiant confirmed that only their X account was compromised and no other systems were breached [3]. The investigation revealed that the attack was likely due to a brute-force password attack and was limited to the company’s primary X account [7]. There is no evidence of compromise of any Mandiant or Google Cloud systems beyond the impacted account.
The attack was part of a larger operation called “ClinkSink,” which utilized a “Drainer-as-a-Service” model to steal Solana cryptocurrency [3]. The threat actors behind the hack were identified as a drainer-as-a-service (DaaS) group using the CLINKSINK crypto wallet drainer. These attackers targeted Solana wallets and used hijacked X and Discord accounts to share phishing pages impersonating popular crypto platforms [7].
The phishing pages were designed to lure victims with promises of free tokens and siphon funds into the attackers’ pockets. It is estimated that they have drained at least $900,000 from unsuspecting crypto enthusiasts [7]. The same group has been using CLINKSINK since December 2023 to steal funds and tokens from Solana users in various campaigns [7].
The actors behind these campaigns have used social media and chat applications to distribute phishing pages impersonating legitimate cryptocurrency resources like Phantom [1], DappRadar [1] [2], and BONK [1]. These phishing pages load the malicious CLINKSINK JavaScript drainer code to connect to victim wallets and steal funds [1]. The CLINKSINK file is obfuscated and targets the Phantom Desktop Wallet [1]. The server responds with an AES-encrypted Telegram chat group ID and configuration [1]. The victim is asked to connect their Solana wallet [1], and the malware makes requests to retrieve wallet details and ask the victim to sign a fraudulent transaction [1].
Mandiant has identified multiple CLINKSINK campaigns using different affiliate IDs and Solana wallet addresses [1], indicating a common DaaS [1]. The stolen funds are split between the affiliate and the DaaS operator [1]. The DaaS operator’s Solana address is B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h [1]. Some campaigns associated with the DaaS also sent funds to a different suspected operator address: MszS2N8CT1MV9byX8FKFnrUpkmASSeR5Fmji19ushw1 [1].
Conclusion
This security breach highlights the importance of strong password protection and the need for organizations to regularly update their security measures. Mandiant has acknowledged that team transitions and a change in X’s 2FA policy contributed to the security lapse [4]. Additionally, approximately $900,000 worth of Solana cryptocurrency has been stolen by 35 CLINKSINK affiliates [4]. These affiliates typically share 20% of the stolen crypto with the DaaS operator [4], who has earned over $180,000 in SOL since New Year’s Eve [4] [5]. It is crucial for individuals and organizations to remain vigilant and take necessary precautions to protect their digital assets in the face of evolving cyber threats.
References
[1] https://www.mandiant.com/resources/blog/solana-cryptocurrency-stolen-clinksink-drainer-campaigns
[2] https://www.bankinfosecurity.com/blogs/top-takeaways-from-hijacking-mandiants-x-account-p-3552
[3] https://www.hackread.com/mandiant-x-account-hacked-brute-force-attack-clinksink/
[4] https://www.scmagazine.com/news/mandiant-x-twitter-hacker-linked-to-900k-cryptocurrency-phishing-scheme
[5] https://www.claytoncountyregister.com/news2/mandiant-x-twitter-hacker-linked-to-900k-cryptocurrency-phishing-scheme/988070/
[6] https://ciso2ciso.com/mandiants-x-account-hacked-by-crypto-drainer-as-a-service-gang-source-www-bleepingcomputer-com/
[7] https://www.infosecurity-magazine.com/news/mandiant-x-account-brute-force/
