Victims of DeFi lender Radiant Capital’s exploit faced further complications when a security firm mistakenly shared a link to a wallet drainer while trying to assist them.

Security Firm Blunder

On Oct. 17, web3 security startup Ancilia was criticized for its negligence after it redirected victims of the attack to a fake X account impersonating the DeFi lender. This account aimed to trick users into visiting a malicious site designed to drain users’ assets through approval phishing.

Details of the Exploit

Ancilia first reported the exploit on Oct. 16, which compromised Radiant Capital’s smart contracts on BNB Chain and Arbitrum via the ‘transferFrom’ function. This allowed attackers to drain over $50 million in assets, including USDC, WBNB, and ETH.

Following the breach, Radiant urged users to revoke all approvals using Revoke.cash, a tool that helps users disconnect their wallets from potentially malicious smart contracts to prevent further losses. This step was crucial because the attackers had gained control of several private keys, enabling them to control the DeFi protocol’s multi-signature wallet by transferring ownership.

Scammers Exploit the Situation

Crypto scammers seized the opportunity, impersonating Radiant Capital on X and pushing fake links disguised to mimic the Revoke.cash platform. Ancilia, not realizing the scam, accidentally shared the fake post, directing users to “follow the link,” which led straight to the wallet drainer.

We accidentally re-posted a scam link, apologized for that. The post has been deleted. The official Twitter handle is @RDNTCapital — Ancilia, Inc. (@AnciliaInc)

If victims clicked through and connected their wallets, approving the permissions, their funds would have been siphoned off. Community members quickly pointed out the security firm’s blunder and criticized Ancilia’s negligence as a “‘trusted’ security account.” Subsequently, Ancilia deleted the post, issued an apology, and pointed users to the original Radiant Capital account.

Impersonation Tactics

The severity of these scams is underscored by the fact that bad actors orchestrate these approval phishing campaigns from hijacked X accounts that often bear the golden verification checkmark, designated for verified organizations. By slightly modifying the account’s name and handle, scammers are able to trick web3 users. For instance, they changed the account name to “Radiarnt Capital” instead of “Radiant Capital” and altered the handle to “@RDNTCapitail” instead of “@RDNTCapital.” While these changes may seem easy to spot, many users often miss them at first glance.

At the time of writing, several instances of the phishing post were still live under Ancilia’s posts.

Common Scamming Techniques

Impersonating genuine projects to trick crypto investors has become one of the most common tools for scammers to lure victims onto phishing platforms. Earlier this year, cybersecurity firm SlowMist warned that over 80% of the comments under posts from major crypto projects were scams. Meanwhile, a ScamSniffer report highlighted that this tactic was the go-to move for scammers, causing millions of dollars in losses for crypto investors in February.

Just a day before the recent attack, bad actors were seen running a similar campaign to dupe WLFI investors. Scammers have even targeted Revoke Cash users by impersonating the service in early September and promoting a malicious site using Google Ads.

In related news, this was the second time Radiant Capital was exploited this year. Hackers managed to get away with $4.5 million from the protocol in a January flash loan attack.

#DeFiProjects #CryptoGains