Cybersecurity firm Mandiant has revealed the details of exactly how its X account (formerly Twitter) was hijacked to advertise crypto wallet scams.
The hijacking occurred earlier this month, when the threat actor took control of the account and changed its name to @phantomsolw in an effort to impersonate the Phantom crypto wallet.
Once modified, the hackers wasted no time in posting about a “promotion” where wallet users could claim free $PHNTM tokens.
Users were instructed to download the wallet from the legitimate site, but once they started using it, all their NFTs and cryptocurrencies were stolen.
Mandiant has since revealed that the incident was likely the result of a “brute force password attack.”
“Normally, 2FA would have mitigated this, but due to some team transitions and a change to X’s 2FA policy, we were not adequately protected. “We have made changes to our process to ensure this does not happen again,” Mandiant said.
It is worth noting that when the US Securities and Exchange Commission’s X account was hacked, X criticized them for poor security due to the lack of 2FA (two-factor authentication).
Mandiant reiterated that only one account was affected in the incident and that there was no evidence that its own systems, nor those of Google Cloud, were affected.
Additionally, Mandiant has identified the hijacking campaign in which your account was affected. According to a blog post from the company, several threat actors had been using a drain-as-a-service (DaaS) for the theft of the Solana cryptocurrency. Mandiant has called the drainer and the campaign ClinkSink.
“The identified campaigns included at least 35 affiliate IDs that are associated with a common Drain as a Service (DaaS), which uses ClinkSink,” Mandiant said.
“The operators of this DaaS provide the exhausting scripts to affiliates in exchange for a percentage of the stolen funds, usually around 20 percent. “We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000.”
Mandiant reports that 80 percent of the funds go to affiliates, while operators get the remaining 20 percent.
The campaign works through phishing pages claiming to be from legitimate crypto institutions, which, in the case of Mandiant, is Phantom. These pages then claim to offer users free cryptocurrencies in exchange for their use, which are distributed via airdrop. However, these airdrops host malicious JavaScript that is capable of draining accounts.
“When a victim visits one of these phishing pages, they are tempted to connect their wallet to claim a token airdrop. After connecting their wallet, the victim is asked to sign a transaction on the drain service, allowing them to siphon funds from the victim.”
Mandiant also identified a number of DaaS scams that use the same ClinkSink drainer or a variant such as Rainbow Drainer or Chick Drainer.
“While they may be operated by a common threat actor, there is some evidence that the ClinkSink source code is available to multiple threat actors, which could allow potentially unrelated threat actors to perform drain operations and/or or independent DaaS,” he says. saying.