Mandiant revealed on Wednesday that its account on the social media platform X, formerly Twitter, was hacked as part of a cryptocurrency theft campaign that generated at least $900,000 for cybercriminals.
The X account of Mandiant, which is part of Google Cloud, was hijacked in early January and abused to promote a link to a fake website claiming to be affiliated with the legitimate Phantom cryptocurrency wallet.
Mandiant’s investigation revealed that the account was likely compromised as a result of a “brute-force password attack”, and noted that the incident only impacted a single account. It also pointed out that there was no evidence that Mandiant or Google Cloud systems were compromised in relation to this event.
“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again,” the company explained.
Mandiant has also published a blog post detailing the campaign as part of which its X account was targeted. The campaign, named ClinkSink, involved numerous threat actors using a so-called drainer-as-a-service (DaaS) to steal funds and tokens from owners of Solana cryptocurrency.
In the ClinkSink operation, cybercriminals have used applications such as X and Discord to distribute links to phishing pages purporting to be associated with legitimate cryptocurrency resources such as Bonk, DappRadar and Phantom.
“When a victim visits one of these phishing pages, they are lured into connecting their wallet in order to claim a token airdrop. After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim,” Mandiant explained.
Its researchers have identified 35 different affiliate IDs and 42 Solana wallet addresses associated with this campaign. An analysis showed that operators and affiliates earned at least $900,000, with roughly 80% of the funds typically going to affiliates and the rest to operators.
“Mandiant identified multiple, differently branded DaaS offerings that appear to use the ClinkSink drainer or variant, including ‘Chick Drainer’, which may now operate at least in part as ‘Rainbow Drainer’,” Mandiant said. “While it is plausible that these are operated by a common threat actor, there is some evidence that the ClinkSink source code is available to multiple threat actors, which could allow potentially unrelated threat actors to conduct independent draining and/or DaaS operations.”
Mandiant is not the only high-profile entity whose X account was hacked in recent days as part of a cryptocurrency scheme. Other victims include the US Securities and Exchange Commission (SEC), blockchain security firm CertiK, crypto price platform CoinGecko, Canadian senator Amina Gerba, Netgear, and Hyundai.