Web3 Security Firm's Error Exposes Victims of $50 Million Exploit to Wallet Drainer

Victims of the recent exploit at DeFi lender Radiant Capital faced further complications when a web3 security firm mistakenly shared a link to a wallet drainer while trying to assist them.

On October 17, the security startup Ancilia came under fire for its misstep after directing victims to an X account impersonating the DeFi lender, leading users to a malicious site designed to drain their assets through approval phishing.

Ancilia initially reported the exploit on October 16, where Radiant Capital’s smart contracts on BNB Chain and Arbitrum were compromised through the ‘transferFrom’ function, enabling attackers to siphon over $50 million in assets, including USDC, WBNB, and ETH.

In response to the breach, Radiant Capital urged users to revoke all approvals using Revoke.cash, a tool that allows users to disconnect their wallets from potentially harmful smart contracts to prevent further losses. This precaution was essential as attackers had gained control of multiple private keys, allowing them to manage the DeFi protocol’s multi-signature wallet.

Seizing the opportunity, crypto scammers impersonated Radiant Capital on X and promoted fake links mimicking the Revoke.cash platform. Ancilia, unaware of the scam, inadvertently shared this fake post, encouraging users to “follow the link,” which directed them to the wallet drainer.

If unsuspecting victims clicked the link and connected their wallets, approving the permissions, their funds could be stolen.

Sharp-eyed community members quickly pointed out Ancilia’s error, criticizing the security firm for its negligence as a “trusted” security account. Following the backlash, Ancilia deleted the post, issued an apology, and redirected users to the official Radiant Capital account.

The seriousness of these scams is underscored by the fact that bad actors often orchestrate approval phishing campaigns from hijacked X accounts that typically carry the golden verification checkmark, reserved for verified organizations on the platform. By making slight modifications to the account name and handle, scammers can deceive web3 users. In this case, the account was altered to “Radiarnt Capital” instead of “Radiant Capital,” with the handle changed to “@RDNTCapitail” instead of “@RDNTCapital.” Although these changes may seem minor, many users overlook them at first glance.

As of now, several instances of the phishing post were still visible under Ancilia’s tweets.

Impersonation Scams

Impersonating legitimate projects to deceive crypto investors has become a prevalent tactic for scammers. Earlier this year, cybersecurity firm SlowMist reported that over eighty percent of comments on major crypto project posts were scams. Additionally, a ScamSniffer report highlighted that this method has caused millions in losses for crypto investors.

Just a day before the recent attack, similar scams targeted WLFI investors. Scammers also previously impersonated Revoke.cash users in early September, promoting a malicious site through Google Ads.

In related news, this was the second time Radiant Capital was exploited this year, with hackers previously stealing $4.5 million from the protocol in a January flash loan attack.