The compromise of Mandiant's X (formerly Twitter) account last week was likely the result of a "brute-force password attack," attributing the hack to a drainer-as-a-service (DaaS) group.
"Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the threat intelligence firm said in a post shared on X.
The attack, which took place on January 3, 2023, enabled the threat actor to take control of the company's X account and distribute links to a phishing page hosting a cryptocurrency drainer tracked as CLINKSINK.
Drainers refer to malicious scripts and smart contracts that facilitate the theft of digital assets from the victim's wallets after they are tricked into approving the transactions.
According to the Google-owned subsidiary, multiple threat actors are believed to have leveraged CLINKSINK since December 2023 to siphon funds and tokens from Solana (SOL) cryptocurrency users.
As observed in the case of other drainers like Angel Drainer and Inferno Drainer, affiliates are roped in by the DaaS operators to conduct the attacks in exchange for a cut (typically 20%) of the stolen assets.
The identified activity cluster involves at least 35 affiliate IDs and 42 unique Solana wallet addresses, collectively netting the actors no less than $900,000 in illegal profits.
The attack chains involve the use of social media and chat applications such as X and Discord to distribute cryptocurrency-themed phishing pages that encourage the targets to connect their wallets to claim a bogus token airdrop.
"After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim," security researchers Zach Riddle, Joe Dobson, Lukasz Lamparski, and Stephen Eckels said.
CLINKSINK, a JavaScript drainer, is designed to open a pathway to the targeted wallets, check the current balance on the wallet, and ultimately pull off the theft after asking the victim to sign a fraudulent transaction. This also means that the attempted theft will not succeed if the victim rejects the transaction.
The drainer has also spawned several variants, including Chick Drainer (or Rainbow Drainer), raising the possibility that the source code is available to multiple threat actors, allowing them to mount independent draining campaigns.
"The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors," Mandiant said.
"Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future."
The development comes amid an uptick in attacks targeting legitimate X accounts to spread cryptocurrency scams.
Earlier this week, the X account associated with the U.S. Securities and Exchange Commission (SEC) was breached to falsely claim that the regulatory body had approved the "listing and trading of spot bitcoin exchange-traded products," causing bitcoin prices to spike briefly.
X has since revealed the hack was the result of "an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third-party," and that the account did not have two-factor authentication enabled.
