Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns

Numerous actors have conducted campaigns since December 2023 that leverage the CLINKSINK drainer to steal funds and tokens from Solana (SOL) cryptocurrency users. The identified campaigns included at least 35 affiliate IDs that are associated with a common drainer-as-a-service (DaaS), which uses CLINKSINK. The operator(s) of this DaaS provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20%. We estimate the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000 USD.

ADVERTISEMENT

Overview of CLINKSINK Drainer Campaigns

In some recently observed campaigns, threat actors used social media and chat applications, including X and Discord, to distribute cryptocurrency-themed phishing pages that entice victims to interact with the CLINKSINK drainer. The observed CLINKSINK phishing domains and pages have leveraged a wide range of fake token airdrop-themed lures masquerading as legitimate cryptocurrency resources, such as Phantom, DappRadar, and BONK.

When a victim visits one of these phishing pages, they are lured into connecting their wallet in order to claim a token airdrop. After connecting their wallet, the victim is then prompted to sign a transaction to the drainer service, which allows it to siphon funds from the victim.

Initial Analysis of CLINKSINK

The analyzed CLINKSINK file is obfuscated by an unknown JavaScript obfuscator. On page load, the sample verifies the victim has the Phantom Desktop Wallet installed. Once these checks pass, it makes a POST request to a URL containing a highly offensive term. The server responds with an AES-encrypted Telegram chat group ID and configuration.

The user is asked to connect their Solana wallet. Once the victim has connected their Solana wallet, the malware makes a request to a second URL containing the connected wallet address. The server performs a lookup on the wallet and returns wallet details including the current balance. If the server returns valid wallet details, the malware makes a request to a third URL containing additional wallet details and the CLINKSINK affiliate website. It then asks the victim to sign a fraudulent transaction. If they reject the transaction, the attempted theft will fail.

Distribution of Stolen Solana Cryptocurrency Funds

Mandiant identified recent CLINKSINK campaigns using at least 35 different affiliate IDs and 42 unique Solana wallet addresses. The stolen funds are split between the affiliate and the service operator(s) based on a set percentage that is retrieved from the drainer service using the affiliate's ID. In these recent campaigns, a portion of funds were sent to the following Solana address, which we assess is associated with the DaaS operator: B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h.

At least some campaigns associated with this same DaaS sent funds to a different suspected operator address: MszS2N8CT1MV9byX8FKFnrUpkmASSeR5Fmji19ushw1. Initial analysis indicates that 80% of stolen funds generally go to the affiliate whereas 20% of stolen funds go to the operator(s). Since December 31, 2023, at least 1,491 SOL plus numerous underlying tokens, worth a combined total of over $180,000 USD, were sent to the aforementioned B8Y1d… address. Given that the operator typically receives 20%, we estimate that these recent campaigns may have stolen at least $900,000 USD in digital assets from victims.

ADVERTISEMENT

Multiple DaaS Offerings Use CLINKSINK

Mandiant identified multiple, differently branded DaaS offerings that appear to use the CLINKSINK drainer or variant, including “Chick Drainer,” which may now operate at least in part as “Rainbow Drainer.” While it is plausible that these are operated by a common threat actor, there is some evidence that the CLINKSINK source code is available to multiple threat actors.

On December 23, 2023, a message was posted in the @chickdrainer Telegram channel stating the channel had moved to @Rainbow. Mandiant identified a Telegram channel created on December 23, 2023, named “@ChickDrainerLeaked” which contains posts claiming that the Chick Drainer source code was leaked, and to contact an actor for the code. The @ChickDrainerLeaked channel also includes several forwarded messages from the @RainbowDrainer channel, suggesting they are operated by a common actor.

Outlook and Implications

Over the past year, Mandiant has observed a multitude of actors distributing drainers and advertising draining tools and services on underground forums. This CLINKSINK activity is particularly notable as it appears to coincide with the rising value of Solana’s native “SOL” cryptocurrency.

Mandiant has observed a sustained level of threat actor interest in targeting cryptocurrency users and services in recent years, a trend which we anticipate will likely increase given the overall rising values of cryptocurrencies. The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors. Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future.