Victims of DeFi lender Radiant Capital's exploit were thrown into further disarray when a security firm mistakenly shared a link to a wallet drainer while trying to help them.
On October 17, web security startup Ancilia was criticized for its negligence after redirecting attack victims to account user assets through approval phishing.
Security experts misled
Ancilia was the first to report the exploit on October 16, in which Radiant Capital's smart contracts on BNB Chain and Arbitrum were compromised via the 'transferFrom' function, allowing attackers to drain more than $50 million in assets, including USDC, WBNB and eth.
Following the breach, Radiant x.com/RDNTCapital/status/1846673545973432333″ target=”_blank” rel=”nofollow”>urged Users can revoke all approvals using Revoke.cash, a tool that allows users to disconnect their wallets from potentially malicious smart contracts, to avoid further losses.
This step was necessary because the attackers had gained control of several private keys, allowing them to control the DeFi protocol's multi-signature wallet by transferring ownership.
Cryptocurrency scammers took advantage of the opportunity, posing as Radiant Capital on x and posting fake links disguised to imitate the Revoke.cash platform. Ancilia, unaware of the scam, accidentally shared the fake post, while asking users to “follow the link,” which directly led to wallet drain.
Had the unfortunate victims clicked and connected their wallets, approving the permissions, their funds would have been siphoned off.
Eagle-eyed community members were quick to point out the security company's mistake and x.com/spreekaway/status/1846637474467975648″ target=”_blank” rel=”nofollow”>criticized Ancilia's negligence as a “'trusted' security account.” Ancilia later deleted the post, apologized, and pointed users to the original Radiant Capital account.
<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter“>
The seriousness of these scams is highlighted by the fact that bad actors orchestrate these approval phishing campaigns from hijacked x accounts that often carry the gold verification mark, which is designated for verified organizations on the social media platform.
Then, by slightly modifying the account name and ID, scammers can trick web3 users. In this case, they changed the account name to “Radiarnt Capital” instead of “Radiant Capital” and changed the handle to “@RDNTCapitail” instead of “@RDNTCapital.” While these changes may seem easy to spot, many users often miss them at first glance.
At the time of writing, several cases of the aforementioned phishing post were still active on Ancilia posts.
Phishing scams
Impersonating genuine projects to deceive cryptocurrency investors has become one of the most common tools for scammers to lure victims to phishing platforms.
Earlier this year, cybersecurity company SlowMist warned that more than 80% of comments on posts from major crypto projects were scams. Meanwhile, a report from ScamSniffer noted that this tactic was the preferred option for scammers, causing millions of dollars in losses to cryptocurrency investors in February.
Just a day before the recent attack, bad actors were seen carrying out a similar campaign to deceive WLFI investors. Scammers even targeted Revoke Cash users by posing as the service in early September and promoting a malicious site using Google Ads.
In related news, this was the second time Radiant Capital was exploited this year. Hackers managed to get away with $4.5 million worth of the protocol in a flash loan attack in January.
<script async src="//platform.twitter.com/widgets.js” charset=”utf-8″>