On January 3, 2024, Mandiant's social media was hacked to distribute links to a cryptocurrency phishing page.

The phishing campaign used a drainer called CLINKSINK to steal funds from Solana cryptocurrency users.

At least 35 affiliate IDs were identified in a drainer-as-a-service (DaaS) operation that used CLINKSINK, with stolen funds estimated to be around $900,000 USD.

The CLINKSINK file targets the Phantom Desktop Wallet and splits stolen funds between the affiliate and the DaaS operator.

Mandiant has discovered multiple DaaS offerings using CLINKSINK or its variants.

The CLINKSINK source code is available to multiple actors, enabling more threat actors to conduct their own draining operations.

Mandiant has observed a rise in cryptocurrency draining operations, particularly related to Solana.

Mandiant predicts that threat actors will continue to target cryptocurrency due to its increasing value.

Mandiant provides a YARA rule to help identify CLINKSINK drainer activity, but it requires validation.