American cybersecurity firm and Google Cloud subsidiary Mandiant had its X (formerly Twitter) account compromised for more than six hours by an unknown attacker to propagate a cryptocurrency scam.
As of writing, the account has been restored on the social media platform.
It’s currently not clear how the account was breached. But the hacked Mandiant account was initially renamed to “@phantomsolw” to impersonate the Phantom crypto wallet service, according to MalwareHunterTeam and vx-underground.
Specifically, the scam posts from the account advertised an airdrop scam that urged users to click on a bogus link and earn free tokens, with follow-up messages asking Mandiant to “change password please” and “check bookmarks when you get account back.”
Mandiant, a leading threat intelligence firm, was acquired by Google in March 2022 for $5.4 billion. It is now part of Google Cloud.
“The Mandiant Twitter account takeover could have happened [in] a number of ways,” Rachel Tobac, CEO of SocialProof Security, said on X.
“Some folks are giving the advice to turn on MFA to prevent ATO and of course that is a good idea always *but it’s also possible that someone in Support at Twitter was bribed or compromised which allowed the attacker access to Mandiant’s account*.”
When reached for comment, a Mandiant spokesperson told The Hacker News that it’s aware of the incident impacting the X account and that it has regained control over the account.
The development comes as CloudSEK revealed that cyber criminals are brute-forcing and hijacking verified Gold accounts on X and selling them on the dark web for up to $2,000 per account. Furthermore, threat actors have been observed to target dormant accounts associated with legitimate organizations to upgrade them to the Gold tier.
The compromised accounts are then used to post links to malicious domains, urge their followers to join random channels based on cryptocurrency, and propagate spam.
“Information stealer malware has a centralized botnet network, where credentials from infected devices are harvested,” security researcher Rishika Desai said. “These credentials are then further validated according to buyers’ requirements, such as individual or corporate accounts, number of followers, region-specific accounts, etc.”
(The story was updated after publication to include a response from Mandiant.)