Mandiant Details How Its X Account Was Hacked

Mandiant’s X account was hacked as a result of a brute force attack as part of a cryptocurrency scheme that earned at least $900k.

Mandiant revealed on Wednesday that its account on the social media platform X, formerly Twitter, was hacked as part of a cryptocurrency theft campaign that generated at least $900,000 for cybercriminals. 

The X account of Mandiant, which is part of Google Cloud, was hijacked in early January and abused to promote a link to a fake website claiming to be affiliated with the legitimate Phantom cryptocurrency wallet. 

Mandiant’s investigation revealed that the account was likely compromised as a result of a “brute-force password attack”, and noted that the incident only impacted a single account. It also pointed out that there was no evidence that Mandiant or Google Cloud systems were compromised in relation to this event. 

“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again,” the company explained.

Mandiant has also published a blog post detailing the campaign as part of which its X account was targeted. The campaign, named ClinkSink, involved numerous threat actors using a so-called drainer-as-a-service (DaaS) to steal funds and tokens from owners of Solana cryptocurrency. 

In the ClinkSink operation, cybercriminals have used applications such as X and Discord to distribute links to phishing pages purporting to be associated with legitimate cryptocurrency resources such as Bonk, DappRadar and Phantom. 

The phishing pages claim to offer cryptocurrency tokens through an airdrop and they host malicious JavaScript code designed to drain victims’ cryptocurrency wallets. 

“When a victim visits one of these phishing pages, they are lured into connecting their wallet in order to claim a token airdrop. After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim,” Mandiant explained.

Advertisement. Scroll to continue reading.

Its researchers have identified 35 different affiliate IDs and 42 Solana wallet addresses associated with this campaign. An analysis showed that operators and affiliates earned at least $900,000, with roughly 80% of the funds typically going to affiliates and the rest to operators. 

“Mandiant identified multiple, differently branded DaaS offerings that appear to use the ClinkSink drainer or variant, including ‘Chick Drainer’, which may now operate at least in part as ‘Rainbow Drainer’,” Mandiant said. “While it is plausible that these are operated by a common threat actor, there is some evidence that the ClinkSink source code is available to multiple threat actors, which could allow potentially unrelated threat actors to conduct independent draining and/or DaaS operations.”

Mandiant is not the only high-profile entity whose X account was hacked in recent days as part of a cryptocurrency scheme. Other victims include the US Securities and Exchange Commission (SEC), blockchain security firm CertiK, crypto price platform CoinGecko, Canadian senator Amina Gerba, Netgear, and Hyundai

Related: North Korean Hackers Have Stolen Over $3 Billion in Cryptocurrency: Report

Related: Google Feature Blamed for Retool Breach That Led to Cryptocurrency Firm Hacks 

Related Content


Former security engineer Shakeeb Ahmed was sentenced to prison for hacking and defrauding cryptocurrency exchanges.

Malware & Threats

Despite a surge in zero-day attacks, data shows that security investments into OS and software exploit mitigations are forcing attackers to find new attack...


Russia’s APT29 hacking group is expanding targets to political parties in Germany using a new backdoor variant tracked as Wineloader.

Data Protection

Praefortis is a new company pushing ethical and transparent recovery of lost or forgotten crypto wallet passwords.

Fraud & Identity Theft

The US seized approximately $1.4 million worth of Tether tokens suspected of being fraud proceeds from tech scams.


U.N. experts are investigating 58 suspected North Korean cyberattacks valued at approximately $3 billion, with the money reportedly being used fund development of weapons...


Daniel James Junk sentenced to six years in prison for stealing millions in cryptocurrency through SIM swapping.


$1.7 billion were stolen last year as a result of 231 cryptocurrency platform hacks, according to a report from Chainalysis. 

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version