Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Mandiant X hijacking was part of US$900k crypto campaign

Cyber security firm Mandiant has revealed the details of exactly how its X (formerly Twitter) account was hijacked to advertise crypto wallet scams.

user icon Daniel Croft
Fri, 12 Jan 2024
Mandiant X hijacking was part of US$900k crypto campaign
expand image

The hijacking occurred earlier this month, with the threat actor taking control of the account and changing its name to @phantomsolw in an effort to impersonate the Phantom crypto wallet.

Once changed, the hackers spared no time posting about a “promotion” in which wallet users could claim free $PHNTM tokens.

Users were directed to download the wallet from the legitimate site, but once they started using it, they had all their NFTs and crypto stolen.

============
============

Mandiant has since revealed that the incident was likely a result of a “brute-force password attack”.

“Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected. We’ve made changes to our process to ensure this doesn’t happen again,” said Mandiant.

It is worth noting that when the US Securities and Exchange Commission X account got hacked, X called them out for poor security due to a lack of 2FA (two-factor authentication).

Mandiant iterated that only a single account was affected in the incident and that there was no evidence that its own systems, nor Google Cloud’s, were affected.

In addition, Mandiant has identified the hijacking campaign in which its account was affected. According to a company blog post, a number of threat actors had been using a drainer-as-a-service (DaaS) for the theft of Solana cryptocurrency. The drainer and campaign have been dubbed ClinkSink by Mandiant.

“The identified campaigns included at least 35 affiliate IDs that are associated with a common drainer-as-a-service (DaaS), which uses ClinkSink,” said Mandiant.

“The operator(s) of this DaaS provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20 per cent. We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000 USD.”

Mandiant reports that 80 per cent of the funds go to affiliates, while operators get the remaining 20 per cent.

The campaign works through phishing pages that claim to be from legitimate crypto institutions, which, in the case of Mandiant, is Phantom. These pages then claim to offer users free crypto in exchange for their use, which is distributed through an airdrop. However, these airdrops host malicious JavaScript that is capable of draining accounts.

“When a victim visits one of these phishing pages, they are lured into connecting their wallet in order to claim a token airdrop. After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim.”

Mandiant also identified a number of DaaS scams that use the same ClinkSink drainer or a variant such as Rainbow Drainer or Chick Drainer.

“While it is plausible that these are operated by a common threat actor, there is some evidence that the ClinkSink source code is available to multiple threat actors, which could allow potentially unrelated threat actors to conduct independent draining and/or DaaS operations,” it said.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.