A few days back, Mandiant, a cybersecurity firm, found its social media account compromised in an attack that exposed a widespread campaign targeting Solana (SOL) cryptocurrency users. The attack was orchestrated through a drainer known as Clinksink and has stolen at least $900,000 in digital assets.
Researchers from the firm quickly started working on the attack and published a detailed report. According to them, the Clinksink drainer has become a weapon of choice for malicious actors since December 2023.
These campaigns utilise deceptive social media and chat applications, such as Discord and X, to distribute cryptocurrency-themed phishing pages. Victims are enticed to interact with the drainer under the guise of claiming token airdrops from seemingly legitimate sources like Phantom, DappRadar, and Bonk.
Mandiant’s analysis reveals that the identified campaigns involve at least 35 affiliate IDs connected to a common drainer-as-a-service (DaaS) using Clinksink. The operators of this service provide drainer scripts to affiliates, who receive a cut, typically around 20%, of the stolen funds.
The Clinksink drainer’s initial analysis uncovered its targeted approach. Specifically designed for the Phantom Desktop Wallet, the drainer executes a series of checks upon loading, making a Post request to a server that responds with an AES-encrypted Telegram chat group ID and configuration. This configuration contains crucial information, such as affiliate and operator Solana Wallet addresses, the percentage split of stolen funds, and configuration details controlling the drainer’s behaviour.
Unaware of the malicious activity, victims are prompted to connect their Solana waller, enabling the drainer to siphon funds from their accounts. The stolen funds are then split between the affiliate and the service operator(s). Mandiant identified specific Solana addresses associated with the DaaS operator, providing a glimpse of the stolen funds.
The investigation also uncovered multiple DaaS offerings using the Clinksink drainer, including Chick Drainer and the potentially rebranded Rainbow Drainer. Researchers think that the possibility of a common threat actor operating these services exists; they uncovered evidence suggesting the availability of Clinksink source code to multiple threat actors, enabling independent draining operations.
Researchers cautioned that with the rising value of Solana’s native cryptocurrency, SOL, financially motivated threat actors are likely to continue exploiting the low barrier to entry in drainer operations, posing an ongoing threat to the cryptocurrency community.
“Mandiant has observed a sustained level of threat actor interest in targeting cryptocurrency users and services in recent years, a trend which we anticipate will likely increase given the overall rising values of cryptocurrencies. The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors,” said the researchers.
In the News: Steam unveils guidelines for AI-infused games
