Mandiant’s account on the social media platform X, formerly Twitter, was hacked on Wednesday and abused to lure users to a website designed to steal cryptocurrency from victims. 

The account of Mandiant, which is part of Google Cloud, was renamed to ‘Phantom’ and its profile image and description were updated to appear affiliated with the legitimate Phantom cryptocurrency wallet.

Messages posted on the hijacked account promoted a website hosted at claim-phntm.com, which claimed to distribute cryptocurrency tokens through an airdrop. In reality, the site is designed to steal users’ cryptocurrency.

The hacked account was later used to troll the cybersecurity firm, telling it to change its password.

Mandiant immediately took action to recover the account, but the hacker regained control at one point during the recovery process.

Researchers at MalwareHunterTeam, who have been monitoring the incident, noted that it did not take Mandiant long to recover the account, considering that it has taken some X users days or even more to regain complete control of their account following a hacker attack.

While the hacker posted a message urging Mandiant to change its password, in many cases social media account hijacking involves abusing a third-party service rather than a direct attack on the account.

SecurityWeek has reached out to Mandiant for more information and will update this article if the company provides additional details.

Major web browsers currently flag the domain promoted by the hacker as a potential phishing site.

This incident occurred just as cybersecurity company CloudSEK published a report on X Gold accounts being sold on the dark web, in some cases for thousands of dollars. These accounts can be highly useful for phishing, disinformation and other types of campaigns.