Mandiant’s X (formerly Twitter) account was compromised last week, likely as a result of a “brute force password attack” that blamed the hackers on a drainage-as-a-service (DaaS) group.
“usually, [two-factor authentication] This situation could have been mitigated, but due to some team transitions and X 2FA policy changes, we were not fully protected,” Threat Intelligence Company explain In a post shared on X.
The attack took place on January 3, 2023, and the attackers were able to take control of the company’s X account and distribute links to a phishing page hosting cryptocurrency spenders traced to CLINKSINK.
Drainers refer to malicious scripts and smart contracts that steal digital assets from victims’ wallets after they are tricked into approving a transaction.
Since December 2023, multiple threat actors are believed to have used CLINKSINK to steal funds and tokens from users of the Solana (SOL) cryptocurrency, according to the Google subsidiary.
As observed in the case of other drainers such as Angel Drainer and Inferno Drainer, DaaS operators recruit affiliates to carry out attacks in exchange for a cut of the stolen assets (usually 20%).
The identified cluster of activity involved at least 35 affiliate IDs and 42 unique Solana wallet addresses, with participants receiving a total of no less than $900,000 in illicit profits.
The attack chain involves using social media and chat applications such as X and Discord to distribute cryptocurrency-themed phishing pages, encouraging targets to connect their wallets to obtain fake token airdrops.
Security researchers Zach Riddle, Joe Dobson, Lukasz Lamparski, and Stephen Eckels said: “Connecting wallets The victim is then prompted to sign a transaction with the Drainer service, allowing it to steal funds from the victim.”
CLINKSINK is a JavaScript drainer designed to open a channel to a target wallet, check the current balance on the wallet, and ultimately complete the theft after asking the victim to sign a fraudulent transaction. This also means that if the victim refuses the transaction, the theft attempt will not succeed.
Drainer has also spawned several variants, including Chick Drainer (or Rainbow Drainer), which raises the possibility that multiple threat actors may have access to the original code, allowing them to launch independent drainer campaigns.
“The widespread availability and low cost of many drains, coupled with their relatively high profit potential, may make them attractive to many financially motivated players,” Mandiant said.
“Given the increasing value of cryptocurrencies and low barriers to entry for drain operations, we expect that varying degrees of financially motivated threat actors will continue to conduct drain operations for the foreseeable future.”
This development comes amid an increase in attacks targeting legitimate X accounts to spread cryptocurrency scams.
Earlier this week, X account linked to the U.S. Securities and Exchange Commission (SEC) was violation False claims that regulators had approved “the listing of a Bitcoin spot exchange-traded product” caused a brief surge in Bitcoin prices.
X since disclose The cause of the hack was “an unknown individual gained control of a phone number associated with the @SECGov account through a third party,” and the account did not have two-factor authentication enabled.
