Connect with us

Hi, what are you looking for?



Mandiant Details How Its X Account Was Hacked

Mandiant’s X account was hacked as a result of a brute force attack as part of a cryptocurrency scheme that earned at least $900k.

Cryptocurrency ransomware payments

Mandiant revealed on Wednesday that its account on the social media platform X, formerly Twitter, was hacked as part of a cryptocurrency theft campaign that generated at least $900,000 for cybercriminals. 

The X account of Mandiant, which is part of Google Cloud, was hijacked in early January and abused to promote a link to a fake website claiming to be affiliated with the legitimate Phantom cryptocurrency wallet. 

Mandiant’s investigation revealed that the account was likely compromised as a result of a “brute-force password attack”, and noted that the incident only impacted a single account. It also pointed out that there was no evidence that Mandiant or Google Cloud systems were compromised in relation to this event. 

“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again,” the company explained.

Mandiant has also published a blog post detailing the campaign as part of which its X account was targeted. The campaign, named ClinkSink, involved numerous threat actors using a so-called drainer-as-a-service (DaaS) to steal funds and tokens from owners of Solana cryptocurrency. 

In the ClinkSink operation, cybercriminals have used applications such as X and Discord to distribute links to phishing pages purporting to be associated with legitimate cryptocurrency resources such as Bonk, DappRadar and Phantom. 

The phishing pages claim to offer cryptocurrency tokens through an airdrop and they host malicious JavaScript code designed to drain victims’ cryptocurrency wallets. 

“When a victim visits one of these phishing pages, they are lured into connecting their wallet in order to claim a token airdrop. After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim,” Mandiant explained.

Advertisement. Scroll to continue reading.

Its researchers have identified 35 different affiliate IDs and 42 Solana wallet addresses associated with this campaign. An analysis showed that operators and affiliates earned at least $900,000, with roughly 80% of the funds typically going to affiliates and the rest to operators. 

“Mandiant identified multiple, differently branded DaaS offerings that appear to use the ClinkSink drainer or variant, including ‘Chick Drainer’, which may now operate at least in part as ‘Rainbow Drainer’,” Mandiant said. “While it is plausible that these are operated by a common threat actor, there is some evidence that the ClinkSink source code is available to multiple threat actors, which could allow potentially unrelated threat actors to conduct independent draining and/or DaaS operations.”

Mandiant is not the only high-profile entity whose X account was hacked in recent days as part of a cryptocurrency scheme. Other victims include the US Securities and Exchange Commission (SEC), blockchain security firm CertiK, crypto price platform CoinGecko, Canadian senator Amina Gerba, Netgear, and Hyundai

Related: North Korean Hackers Have Stolen Over $3 Billion in Cryptocurrency: Report

Related: Google Feature Blamed for Retool Breach That Led to Cryptocurrency Firm Hacks 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.