Web3 security firm’s mistake exposes victims of $50m exploit to wallet drainer

Victims of DeFi lender Radiant Capital’s exploit were thrown into further disarray when a security firm erroneously shared a link to a wallet drainer while attempting to help them.

On Oct. 17, web3 security startup Ancilia was criticized for its negligence after it redirected victims of the attack to an X account masquerading as the DeFi lender to dupe users into visiting a malicious site designed to drain users’ assets via approval phishing.

Security experts tricked

Ancilia was the first to report the exploit on Oct. 16, which saw Radiant Capital’s smart contracts on BNB Chain and Arbitrum compromised via the ‘transferFrom’ function, allowing attackers to drain over $50 million in assets, including USDC, WBNB, and ETH.

Following the breach, Radiant urged users to revoke all approvals using Revoke.cash, a tool that allows users to disconnect their wallets from potentially malicious smart contracts, to prevent further losses

This step was necessary because the attackers had gained control of several private keys, allowing them to control the DeFi protocol’s multi-signature wallet by transferring ownership.

Crypto scammers jumped on the opportunity, impersonating Radiant Capital on X and pushing fake links disguised to mimic the Revoke.cash platform. Ancilia, not realizing the scam, accidentally shared the fake post, while asking users to “follow the link,” which led straight to the wallet drainer.

Deleted post from Ancilia reposting a Radiant Capital impersonator | Source: Spreek/XIf unlucky victims clicked through and connected their wallets, approving the permissions, their funds would’ve been siphoned off.

Eagle-eyed community members were quick to point out the security firm’s blunder and criticized Ancilia’s negligence as a “‘trusted’ security account.” Subsequently, Ancilia deleted the post, issued an apology, and pointed users to the original Radiant Capital account.

The severity of these scams is highlighted by the fact that the bad actors orchestrate these approval phishing campaigns from hijacked X accounts that often bear the golden verification checkmark, which is designated to verified organizations on the social media platform.

Then, by slightly modifying the account’s name and handle, scammers are able to trick web3 users. In this instance, they changed the account name to “Radiarnt Capital” instead of “Radiant Capital” and altered the handle to “@RDNTCapitail” instead of “@RDNTCapital.” While these changes may seem easy to spot, many users often miss them at first glance.

At the time of writing, several instances of the aforementioned phishing post were still live under Ancilia’s posts.

Impersonation scams

Impersonating genuine projects to trick crypto investors has become one of the most common tools for scammers to lure victims onto phishing platforms

Earlier this year, cybersecurity firm SlowMist warned that over 80% of the comments under posts from major crypto projects were scams. Meanwhile, a ScamSniffer report pointed out that this tactic was the go-to move for scammers, causing millions of dollars in losses for crypto investors in February.

Just a day before the recent attack, bad actors were seen running a similar campaign to dupe WLFI investors. Scammers have even targeted Revoke Cash users by impersonating the service in early September and promoting a malicious site using Google Ads.

In related news, this was the second time Radiant Capital was exploited this year. Hackers were able to get away with $4.5 million from the protocol in a January flash loan attack