Massive Solana Heist: CLINKSINK Drainer Campaigns Swipe Nearly $1M Worth Of SOL

12 January 2024

In a recent report released by Mandiant, a threat intelligence and cybersecurity company, alarming details have emerged about the widespread exploitation of Solana users through a campaign known as CLINKSINK. 

The report sheds light on the nature of these drainer campaigns, which have resulted in the loss of nearly $1 million worth of SOL tokens.

CLINKSINK Campaign Targets Solana Investors

According to the report, The CLINKSINK campaign, identified by Mandiant, involves malicious actors leveraging drainers – malicious scripts and smart contracts – to steal funds and digital assets, including non-fungible tokens (NFTs), from unsuspecting victims’ cryptocurrency wallets. 

These campaigns have been active since December 2023 and have employed at least 35 affiliate IDs associated with a drainer-as-a-service (DaaS) utilizing CLINKSINK.

The modus operandi of the CLINKSINK campaign involves distributing cryptocurrency-themed phishing pages through social media platforms like X and chat applications like Discord. 

These pages, masquerading as legitimate cryptocurrency resources like Phantom, DappRadar, and BONK, entice victims to interact with the CLINKSINK drainer. Once victims connect their wallets to claim an alleged token airdrop, they are prompted to sign a transaction that allows the drainer service to siphon funds from their wallets.

Mandiant’s investigation revealed that the stolen funds are divided between the affiliate and the service operator(s) based on a predetermined percentage. 

The analysis indicates that, on average, 80% of the stolen funds go to the affiliate, while the remaining 20% go to the operator(s). However, the operator’s cut can vary between 5% and 25%, potentially influenced by factors such as partnerships or reduced fees for successful affiliates.

Since the end of December 2023, at least 1,491 SOL tokens and numerous underlying tokens, with a combined value of over $180,000, were traced to a specific Solana address associated with the DaaS operator. 

Based on this data, Mandiant estimates that these recent campaigns have stolen at least $900,000 in digital assets. However, it is important to note that some of the funds sent to the operator’s wallet might originate from their drainer campaigns or transfers not subject to the percentage split.

Mandiant Warns Of Growing Trend

Mandiant’s report also highlights the availability and low cost of CLINKSINK drainers in underground forums, indicating a growing trend of financially motivated threat actors targeting cryptocurrency users and services. 

The rising value of Solana’s native cryptocurrency, SOL, has likely contributed to the surge in CLINKSINK activity. Furthermore, the CLINKSINK source code’s apparent leakage could enable unrelated threat actors to conduct independent draining operations or establish their own DaaS offerings.

As the value of cryptocurrencies continues to rise, Mandiant predicts an increase in financially motivated threat actors conducting drainer operations. 

The ease of access and potential profitability of these campaigns make them an attractive prospect for cybercriminals of varying levels of sophistication.

Cryptocurrency users and investors are urged to exercise caution and employ robust security measures to protect their digital assets. Increased awareness and vigilance within the cryptocurrency community will be crucial in mitigating the risks posed by the CLINKSINK drainer and similar threats.

Featured image from Shutterstock, chart from TradingView.com

Need help?

Please use the contact form to get support.