Phishing, Identity, Threat Management

Mandiant X hacker linked to $900K cryptocurrency phishing scheme

In this photo illustration the Mandiant logo seen displayed on a smartphone and on the background. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Mandiant, a Google-owned cybersecurity company, says a “brute force password attack” likely caused the takeover of its X (formerly known as Twitter) account last week.

The account hijacking was part of a cryptocurrency phishing campaign linked to a drainer-as-a-service (DaaS) offering Mandiant calls CLINKSINK, according to a blog post detailing the company’s investigation.

An estimated $900,000 or more in Solana (SOL) cryptocurrency has been stolen in recent campaigns by 35 CLINKSINK affiliates identified in the Mandiant probe. These affiliates typically share about 20% of the stolen crypto with the DaaS operator, who raked in more than $180,000 in SOL since New Year’s Eve, according to the blog post.

Meanwhile, Mandiant is facing scrutiny after admitting that “some team transitions and a change in X’s 2FA policy” resulted in the security lapse that led to the hijacking.

Mandiant is one of several well-known organizations caught up in a recent string of X account hijackings, which most recently hit the U.S. Securities and Exchange Commission (SEC) in an incident that briefly shook up the Bitcoin market

Mandiant’s X/Twitter hack explanation, 2FA lapse questioned by critics

Mandiant noted in its blog post that no Mandiant or Google Cloud systems, other than its X account, were compromised in the hours-long incident on Jan. 3.

Referring to a likely “brute force” attack, the company’s statements published on X Wednesday afternoon seem to imply an attacker targeted the social media account by trying multiple passwords until they successfully logged in.

In replies to Mandiant's post, some critics noted that this explanation was questionable due to X’s policy of temporarily locking accounts after a “limited number of failed attempts” to log in.

“Not possible due to rate limitation except if the password was 123Password,” one user commented.

The exact number of failed attempts needed to trigger this measure is not provided by X, so SC Media tested the log in feature on a personal X account. We received a notice that the account was locked on the sixth attempt to log in with the wrong password.

No alerts about the failed log-in attempts were sent to the email address linked to the account, and we were also able to access the account, during the temporary lock out period, using the option to sign in with Google/Gmail.

Mandiant did not elaborate on the two-factor authentication (2FA) policy change that contributed to the breach, but this likely refers to X’s removal of the SMS 2FA option for non-Premium subscribers on March 20, 2023.

If this is the case, Mandiant’s account likely had no 2FA protection when it was compromised. X users can still use the authentication app or security key methods of 2FA for free.

“We’ve made changes to our process to ensure this doesn’t happen again,” Mandiant said in its statement.

A Google spokesperson declined to provide additional details about the incident to SC Media.

CLINKSINK affiliates impersonate legitimate crypto sites to drain wallets

After compromising Mandiant’s X account, which has more than 123,000 followers, the hijacker changed the account handle to @phantomsolw, impersonating the legitimate Phantom crypto wallet.

In a post on the hacked account, the CLINKSINK affiliate promoted a supposed opportunity to claim free $PHNTM tokens by clicking a link. Upon clicking the link, users would be urged to connect their Solana wallet and sign a transaction to claim the promotional token airdrop.

The JavaScript-based CLINKSINK drainer linked to the phishing site performs checks to verify that victims have the Phantom Desktop Wallet installed and is capable of surveying connected Solana wallets to check details, including balances. CLINKSINK is also set up to split the drained funds between the affiliate and operator accounts, usually at a ratio of 80% and 20%, respectively.

In the case of the Mandiant hijacking, the phishing scheme failed due to Phantom recognizing the site as malicious and blocking users from connecting their wallets, BleepingComputer reported.

The hijacker later deleted the phishing tweet and resorted to using the Mandiant account to mock the company with messages like “Check bookmarks when you get your account back.”  

Mandiant identified other legitimate crypto utilities like DappRadar and BONK being used in related CLINKSAFE campaigns across social media platforms, including X and Discord.

CertiK, Netgear and Hyundai Middle East & Africa (MEA) have also had their X accounts hacked in cryptocurrency-draining schemes this year, but there is no confirmation that these incidents were also linked to CLINKSINK.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.