Keypoints
- Mandiant investigated CLINKSINK after the compromise of its X account was used to distribute links; the drainer was observed in multiple campaigns since December 2023.
- CLINKSINK is delivered via phishing pages impersonating legitimate crypto services (Phantom, DappRadar, BONK) that prompt users to connect Phantom wallets and sign transactions.
- The drainer JavaScript (sample MD5 8650e83da50bd726f77311b729905c0d) is obfuscated and contacts ontopothers[.]com to POST an affiliate identifier and receive AES-encrypted configuration and Telegram chat IDs.
- The server-side configuration contains affiliate/operator Solana addresses, a payout split (commonly ~80% affiliate / ~20% operator), and behavioral flags; stolen funds flow to operator addresses such as B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h.
- Mandiant identified at least 35 affiliate IDs, 42 unique Solana addresses, and estimates recent campaigns may have stolen at least $900,000 USD in assets.
- CLINKSINK source code overlap suggests multiple DaaS offerings (e.g., Chick Drainer / Rainbow Drainer) and possible leaks that could expand use by other actors; a YARA rule is provided for hunting.
MITRE Techniques
- [T1566.001] Spearphishing Link – Actors distributed links via social media and chat apps to lure victims to phishing pages. (‘used social media and chat applications, including X and Discord, to distribute cryptocurrency-themed phishing pages’)
- [T1036] Masquerading – Phishing pages impersonated legitimate crypto services (Phantom, DappRadar, BONK) to appear trustworthy. (‘fake token airdrop-themed lures masquerading as legitimate cryptocurrency resources, such as Phantom, DappRadar, and BONK’)
- [T1027] Obfuscated Files or Information – The CLINKSINK JavaScript sample is obfuscated to hinder analysis. (‘The analyzed CLINKSINK file … is obfuscated by an unknown JavaScript obfuscator.’)
- [T1204.002] Malicious Link – Victims are induced to connect wallets and sign transactions, enabling theft when they approve. (‘lured into connecting their wallet in order to claim a token airdrop… prompted to sign a transaction to the drainer service’)
- [T1071.001] Application Layer Protocol: Web Protocols – The drainer posts affiliate identifiers and retrieves AES-encrypted configuration from ontopothers[.]com. (‘it makes a POST request to a URL at the domain ontopothers[.]com’ and ‘The server responds with an AES-encrypted Telegram chat group ID and configuration’)
Indicators of Compromise
- [File hash] CLINKSINK sample – MD5 8650e83da50bd726f77311b729905c0d
- [Domain] Command/config endpoint – ontopothers[.]com
- [Solana addresses] Operator/payment receivers – B8Y1dERnVNoUUXeXA4NaCHiB9htcukMSkfHrFsTMHA7h, MszS2N8CT1MV9byX8FKFnrUpkmASSeR5Fmji19ushw1, and 40+ affiliate/operator addresses
- [Affiliate IDs] DaaS affiliate identifiers observed – null696969, aa1731a, and many others (35+ IDs)
- [Telegram chat IDs] Chat/group identifiers returned in config – -1002032238930 and multiple negative chat IDs listed in affiliate table
The CLINKSINK drainer operates as a client-side JavaScript payload embedded in phishing pages that impersonate legitimate Solana services. On load the obfuscated script checks for Phantom Desktop Wallet presence, then POSTs an affiliate identifier to ontopothers[.]com using a hardcoded key; the server replies with an AES-encrypted payload containing a Telegram group ID and a JSON configuration (including affiliate and operator Solana addresses, payout split, minimum values, and UI/behavior flags). The sample analyzed (MD5 8650e83da50bd726f77311b729905c0d) uses these values to control presentation and targeting.
After the victim connects a Phantom wallet to the page, the script sends the connected wallet address to the service for a balance lookup; the server returns wallet details (or ‘null’ if reused). If eligible, the drainer issues requests to build and present a fraudulent transaction which the user is prompted to sign; a rejection prevents theft. When a transaction is signed, funds are routed to affiliate-controlled addresses and a configured split address for the operator, with typical splits observed around 80% to affiliates and 20% to operators.
The infrastructure and artifacts indicate a drainer-as-a-service model with at least 35 affiliates and multiple branded offerings (e.g., Chick Drainer / Rainbow Drainer), and evidence of source-code leaks. Relevant hunting artifacts include the sample hash, ontopothers[.]com domain activity, affiliate IDs and Telegram chat IDs, and the operator Solana addresses outlined above; a YARA rule with characteristic solanaWeb3 and Phantom strings is provided in the full report for detection tuning.