Web3 security firm’s mistake exposes victims of $50m exploit to wallet drainer

Victims of DeFi lender Radiant Capital’s exploit were thrown into further disarray when a security firm accidentally shared a link to a wallet drainer while trying to help them.

On October 17, web3 security startup Ancilia was criticized for negligence after the attack directed victims to an X account posing as a DeFi lender to trick users into visiting a malicious site designed to drain users’ assets through confirmation phishing.

Security experts were fooled

Ancilia was the first to report this exploit on October 16, which saw Radiant Capital’s smart contracts on BNB Chain and Arbitrum compromised via the ‘transferFrom’ function, allowing attackers to drain over $50 million in assets including USDC, WBNB, and ETH .

Following the breach, Radiant required users to revoke all confirmations using Revoke.cash, a tool that allows users to disconnect their wallets from potentially malicious smart contracts, to prevent further losses.

This step was necessary because the attackers gained control of several private keys, which gave them the ability to control the DeFi protocol’s multi-signature wallet by transferring ownership.

Crypto scammers took advantage of this opportunity by impersonating Radiant Capital on X and sending fake links disguised to mimic the Revoke.cash platform. Not realizing the scam, Ancilia accidentally shared the fake post while asking users to “follow the link,” which led directly to the wallet drainer.

Ancilia’s post, which re-shared the Radiant Capital impersonator, has been deleted | Source: Spreek/X

If the unlucky victims had clicked, connected their wallets and confirmed the permissions, their funds would have been siphoned off.

Observant community members were quick to point out the security firm’s mistake, criticizing Ancilia’s negligence as a “‘trustworthy’ security account.” Ancilia later deleted the post, issued an apology, and redirected users to the original Radiant Capital account.

We accidentally reposted a scam link and we apologize for that. The post has been deleted. Official Twitter username: @RDNTCapital

— Ancilia, Inc. (@AnciliaInc) 16 October 2024

The seriousness of these scams is highlighted by the fact that bad actors orchestrate these verification phishing campaigns from compromised

Scammers can then trick web3 users by slightly changing the account name and handle. In this example, they changed the account name from “Radiant Capital” to “Radiarnt Capital” and changed the username from “@RDNTCapital” to “@RDNTCapitail”. Although these changes may seem easy to notice, many users often overlook them at first glance.

At the time of this writing, several examples of the above-mentioned phishing mail were still live under Ancilia’s posts.

Impersonation scam

Impersonating real projects to fool crypto investors has become one of the most common tools for scammers to lure victims to phishing platforms.

Earlier this year, cybersecurity firm SlowMist warned that more than 80% of comments under posts by major crypto projects were scams. Meanwhile, a ScamSniffer report noted that this tactic is the go-to move for scammers and caused millions of dollars in losses to crypto investors in February.

Just a day before the latest attack, bad actors appeared to be running a similar campaign to deceive WLFI investors. Scammers even targeted Revoke Cash users in early September by impersonating the service and promoting a malicious site using Google Ads.

In related news, this was the second time Radiant Capital was exploited this year. Hackers managed to steal $4.5 million from the protocol in a flash loan attack in January.