Recent Campaigns Exploit CLINKSINK Drainer to Steal Solana Cryptocurrency
A series of campaigns have surfaced since December 2023 that exploit the CLINKSINK drainer to steal funds and tokens from Solana (SOL) cryptocurrency users. These campaigns involve the use of malicious scripts and smart contracts known as drainers to siphon funds and digital assets from unsuspecting victims. The identified campaigns involved at least 35 affiliate IDs associated with a common drainer-as-a-service (DaaS) that utilizes CLINKSINK. The operators of this service provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds.
CLINKSINK Drainer: Overview and Analysis
In these campaigns, threat actors have used social media and chat applications to distribute cryptocurrency-themed phishing pages that entice victims to interact with the CLINKSINK drainer. These phishing pages masquerade as legitimate cryptocurrency resources, such as token airdrops from popular platforms like Phantom, DappRadar, and BONK. Once victims connect their wallet and sign a transaction, the drainer service gains access to their funds and proceeds to steal them.
Analysis of the CLINKSINK drainer reveals an obfuscated JavaScript code that targets the Phantom Desktop Wallet. Upon loading the sample, it verifies the presence of the wallet and makes a POST request to a specific URL. The server responds with an AES-encrypted Telegram chat group ID and configuration, which contains information about the drainer service, including Solana wallet addresses, percentage splits of stolen funds, and other configuration details.
Distribution of Stolen Funds in CLINKSINK Campaigns
Mandiant has identified at least 35 different affiliate IDs and 42 unique Solana wallet addresses associated with recent CLINKSINK campaigns. Stolen funds are typically split between the affiliate and the DaaS operator based on a predetermined percentage. In these campaigns, a portion of the stolen funds was sent to a specific Solana address, believed to be associated with the DaaS operator. The total value of assets stolen by affiliates in these recent campaigns is estimated to be at least $900,000 USD.
Multiple DaaS Offerings Utilize CLINKSINK Drainer
Interestingly, Mandiant has discovered multiple DaaS offerings that appear to use the CLINKSINK drainer or a variant. One such DaaS is known as “Chick Drainer” and may now operate partially as “Rainbow Drainer.” While it is unclear if these offerings are operated by the same threat actor, there is evidence suggesting that the CLINKSINK source code has been leaked and is being used by multiple actors. These findings indicate the potential for independent draining operations and the creation of additional DaaS offerings for malicious purposes.
Outlook and Implications of CLINKSINK Drainer Campaigns
The popularity of cryptocurrency draining operations has increased over the past year, with actors distributing drainers and advertising draining tools on underground forums. The CLINKSINK drainer activity is particularly notable due to its correlation with the rising value of Solana’s native cryptocurrency (SOL). As the value of cryptocurrencies continues to soar, financially motivated threat actors are likely to target cryptocurrency users and services with even greater frequency. The availability and low cost of drainers, coupled with the potential for significant profit, make them attractive to various actors. Therefore, the drainer operations are expected to persist in the foreseeable future.
In conclusion, the CLINKSINK drainer has become a key tool utilized in recent campaigns to steal funds and tokens from Solana cryptocurrency users. The distribution of stolen funds, the presence of multiple DaaS offerings, and the increasing interest in draining operations underscore the ongoing threat to cryptocurrency users and services. As the cryptocurrency market continues to thrive, it is crucial for users to remain vigilant and take necessary security measures to protect their assets.
Analyst comment
This news can be evaluated as negative. The recent campaigns exploiting the CLINKSINK drainer pose a significant threat to Solana cryptocurrency users, with funds and tokens being stolen. There are multiple affiliate IDs and Solana wallet addresses involved, indicating widespread involvement. The availability and low cost of drainers make them attractive to threat actors, and as the cryptocurrency market continues to grow, these operations are expected to persist. Users must remain vigilant and take necessary security measures to protect their assets.
