Victims of a recent $50 million exploit at DeFi lender Radiant Capital faced further turmoil when a web3 security firm mistakenly directed them to a wallet drainer while attempting to offer assistance.
On October 17, security startup Ancilia came under fire for its oversight after it linked victims to a fraudulent X account posing as Radiant Capital, luring users to a malicious site crafted to drain their assets through approval phishing tactics.
Initial Reporting of the Exploit
Ancilia was the first to alert the community about the exploit on October 16, revealing that Radiant Capital’s smart contracts on the BNB Chain and Arbitrum had been compromised via the ‘transferFrom’ function. This vulnerability enabled attackers to siphon off over $50 million in assets, including USDC, WBNB, and ETH.
In response to the breach, Radiant Capital urged users to revoke all approvals through Revoke.cash, a tool designed to help disconnect wallets from potentially harmful smart contracts, thereby preventing further losses. The attackers had managed to seize control of several private keys, which granted them authority over the DeFi protocol’s multi-signature wallet by transferring ownership.
Misguided Guidance from Ancilia
Unfortunately, cybercriminals exploited the situation, creating fake accounts on X to impersonate Radiant Capital and disseminate fraudulent links disguised as Revoke.cash. Ancilia, unaware of the scam, inadvertently shared a post encouraging users to “follow the link,” which led directly to the wallet drainer.
If victims clicked on the link and connected their wallets, they risked granting the scammers permissions that would enable them to drain funds.
Community members quickly identified Ancilia’s blunder and criticized the firm’s negligence, given its status as a “trusted” security entity. Following the backlash, Ancilia removed the post, issued an apology, and redirected users to the authentic Radiant Capital account.
The Nature of Scams in Web3
The seriousness of these scams is underscored by the fact that malicious actors conduct these approval phishing campaigns from hijacked X accounts that often feature the golden verification checkmark, typically assigned to legitimate organizations on the platform.
By slightly modifying the account names and handles, scammers can easily deceive web3 users. In this instance, they altered the name to “Radiarnt Capital” instead of “Radiant Capital” and changed the handle to “@RDNTCapitail” instead of “@RDNTCapital.” While these variations may seem trivial, many users overlook them at first glance.
As of this writing, several phishing posts linked to Ancilia’s account were still active.
Rising Threat of Impersonation Scams
Impersonation scams have become a prevalent tactic for defrauding crypto investors, with scammers frequently masquerading as genuine projects to lure victims onto phishing platforms. Earlier this year, cybersecurity firm SlowMist reported that over 80% of comments under posts from major crypto projects were scams. Additionally, a ScamSniffer report highlighted that this tactic had become the go-to strategy for scammers, resulting in millions of dollars in losses for crypto investors in February.
Just a day before this latest incident, similar campaigns were aimed at WLFI investors, and scammers had previously targeted Revoke Cash users in early September by impersonating the service and promoting a malicious site through Google Ads.
This incident marks the second time Radiant Capital has faced an exploit this year, with hackers successfully stealing $4.5 million from the protocol in a flash loan attack in January.
Related topics:
Google Eliminates Crypto Price Charts from Search Results
Bitcoin Surpasses $64,000 as Liquidations Exceed $100 Million
Fairdesk Crypto Exchange to Shut Down, Cites Market Conditions
