Following the compromise of their X (formerly Twitter) account on January 3rd, 2024. Mandiants released an in-depth report of an emerging cyber threat, dubbed CLINKSINK, which involved hijacking a social media account to distribute links leading to a cryptocurrency drainer phishing page. This sophisticated campaign did not breach Mandiant or Google Cloud systems but led to an investigation into the broader use of the CLINKSINK drainer. This drainer, part of a Drainer-as-a-Service (DaaS) gang, targets Solana (SOL) cryptocurrency users, siphoning funds and digital assets by deceiving victims into approving malicious transactions.
The CLINKSINK campaigns Mandiant traced to have been active since December 2023, and linked to at least 35 affiliate IDs, indicating a widespread operation involving multiple actors. These actors use the service to steal funds, handing over approximately 20% of the stolen assets to the DaaS operators. This operation signifies a significant financial threat with an estimated total asset value of $900,000 stolen. The phishing campaigns leveraging CLINKSINK have employed various lures, such as fake token airdrop-themed pages, masquerading as legitimate cryptocurrency resources. Once a victim is lured, they are prompted to connect their wallet and sign a transaction that allows the drainer service to extract funds.
The technical analysis of CLINKSINK reveals its method of verifying the victim's wallet, followed by a series of server requests to process the theft. This includes tracking wallets, obtaining wallet balances, and prompting victims to sign fraudulent transactions. Mandiant's investigation uncovered multiple affiliate IDs and Solana wallet addresses linked to these campaigns, highlighting the coordinated nature of these attacks. The distribution of stolen funds between affiliates and DaaS operators varies, suggesting differing partnership dynamics or success rates among affiliates.
Mandiant's insights into CLINKSINK extend beyond its immediate use, revealing multiple DaaS offerings using similar drainers, such as Chick Drainer and Rainbow Drainer. The potential common operation of these services, coupled with the leak of the CLINKSINK source code, raises concerns about the proliferation of such attacks. The popularity of cryptocurrency-draining operations in underground forums and the relative ease of executing these attacks make them a lucrative option for financially motivated cybercriminals. Mandiant anticipates a sustained interest in targeting cryptocurrency users, exacerbated by the rising values of cryptocurrencies and the low entry barriers for conducting draining operations.
Mandiant's findings and incident underscore the growing threat of DaaS gangs. In a related case, the United States Securities and Exchange Commission (SEC)'s Twitter account fell prey to a similar attack on January 9th, 2024. As reported by The Record, this high-profile account takeover involved an unauthorized tweet falsely promoting the listing of bitcoin exchange-traded funds (ETFs). The SEC promptly responded, removing the misleading tweet within an hour of its posting. Such instances further validate the cybersecurity risks posed by these sophisticated threat actors.