Radiant Capital Halts Lending After $50+ Million Security Breach

The protocol paused operations and is working with multiple cybersecurity firms to investigate the issue. During the aftermath, security firm Ancilia mistakenly shared a malicious wallet drainer link that also put user funds at risk. Meanwhile, Hong Kong police arrested 27 people that were involved in a $46 million deepfake crypto romance scam, and in the US, Ponzi scheme promoter Juan Tacuri was sentenced to 20 years in prison for his role in the Forcount crypto scam.

Radiant Capital Hit by Security Breach

Radiant Capital paused its lending markets after a cybersecurity breach that resulted in losses of more than $50 million on both the BNB Chain and Arbitrum networks. According to Web3 cybersecurity firm De.Fi Antivirus, the exploit was linked to the “transferFrom” function in Radiant Capital’s smart contracts, which allowed the attacker to drain funds from users, including assets like USDC, WBNB, and ETH. De.Fi estimated the total losses to be around $58 million. Another cybersecurity firm, Ancilia Inc., confirmed a similar figure of about $50 million.

Radiant Capital acknowledged the issue on its X account and stated that it is working with cybersecurity firms SEAL911, Hypernative, ZeroShadow, and Chainalysis to investigate the breach. Lending markets on Binance Chain and Arbitrum have been paused until further notice. The protocol’s Base and Mainnet markets were also halted as a precaution.

It is believed that the attack involved the compromise of several private keys linked to Radiant’s multisignature wallet, which allowed the attacker to seize control of various smart contracts. Pop Punk, the co-founder of the token launch platform g8keep, compared the breach to a schoolyard theft, and urged users to revoke all approvals as losses are still mounting.

During the third quarter of 2024 so far, $316 million was stolen through similar exploits, according to a report by Hacken. Multisig wallets are commonly used to secure Web3 protocols, but are increasingly seen as centralized weak points. Sreeram Kannan, the founder of restaking protocol EigenLayer, believes there is a serious need for the industry to move beyond multisig as they fall short of delivering the decentralized trust that blockchain technology is supposed to provide.

The drama surrounding Radiant Capital did not end after the hack. Security firm Ancilia is facing a lot of criticism from the crypto community after it mistakenly shared a wallet drainer link while trying to help the users who were affected by the $50+ million exploit of Radiant Capital. After the hack, Radiant Capital users were rushing to revoke permissions to protect their funds.

Ancilia’s now-deleted post, which re-posted a link from an imposter Radiant X account, directed users to what they believed was an official source for revoking permissions. However, the link led to a malicious wallet drainer, which ended up putting users’ funds at further risk. Pseudonymous crypto commentator “Spreek” shared a screenshot of the post and criticized Ancilia for the oversight.

This was the second exploit Radiant Capital experienced in 2024. In January, the protocol suffered a $4.5 million loss due to another vulnerability in its smart contracts. Radiant is currently working with multiple security firms to take care of the latest issue.

In a follow-up post, Radiant advised users to revoke smart contract permissions by using revoke.cash, which is an app that is designed to help users disconnect their wallets from potentially compromised contracts.

27 Arrested in AI-Powered Crypto Romance Scam 

Traders should not only keep an eye out for hack and wallet drainer links. Hong Kong police recently arrested 27 people that were involved in a crypto romance scam that used artificial intelligence deepfakes to defraud victims of over $46 million. The scam mainly targeted men from mainland China, Taiwan, India, and Singapore, and tricked them into believing they were developing romantic relationships with real women. The scammers then lured victims into a fake crypto investment scheme that actually operated from a 4,000-square-foot industrial building in the Hung Hom neighborhood of Hong Kong.

The scam group recruited local university graduates with digital media skills and hired overseas IT professionals to build a fake crypto investment platform. The operation also included training manuals for executing the AI deepfake scams. Police started their takedown of the operation on Oct. 9, and seized computers, luxury watches, and more than 100 mobile phones.

press conferencepress conference

Press conference (Source: Hong Kong police)

The arrested people are aged between 21 and 34, and are facing charges of “conspiracy to defraud” and “possession of offensive weapons.” This case is just one of many deepfake scams plaguing the community. A previous incident in February involved a multinational finance firm in Hong Kong losing more than $25 million through a deepfake impersonation of company executives.

Romance scams, also known as “pig butchering” scams, have been on the rise. Chainalysis data reveals that crypto scammers stole $4.6 billion in 2023, and funds that were lost through romance scams doubled since 2020. Hong Kong Police also warned the public about these new deception tactics.

Juan Tacuri, a senior promoter of the Forcount Ponzi scheme, was sentenced to 20 years in prison on Oct. 15, according to an announcement by the United States Department of Justice. The Southern District of New York also ordered Tacuri to pay $3.6 million in restitution and serve one year of supervised release after his prison term. 

The scheme mainly targeted Spanish-speaking communities around the world, and lured victims with false promises of high returns from cryptocurrency mining and trading. Tacuri, along with other promoters, organized multiple very lavish events across the US to attract more investors, and even promised people that their capital will double in six months.

However, there were no real investment operations, and the money was spent on luxury goods and real estate. Victims started reporting withdrawal issues in 2018, and by 2021, the scheme’s operators stopped responding to complaints. In 2022, charges were unsealed against Forcount’s founder, Francisley da Silva.

In June of 2024, Tacuri pleaded guilty to wire fraud and conspiracy. His co-promoters, Antonia Perez Hernandez and Nestor Nunez, also pleaded guilty to the same charges in July. The maximum 20-year sentence was handed down by Judge Analisa Torres. 

statementstatement

Damian Williams statement (Source: US Department of Justice)

US Attorney Damian Williams stated that Tacuri’s case is a stark reminder that fraud schemes, no matter how elaborate they are, will always ultimately fail.

Crypto Ponzi Schemes

According to the US Securities and Exchange Commission (SEC), a Ponzi scheme is a fraudulent investment operation that pays returns to earlier investors by using the capital from new investors, rather than from legitimate profits. The organizers of these schemes usually promise very high returns with little or no risk, but instead of investing funds, they focus on attracting more investors to sustain the cycle of payments. This structure inevitably collapses when there are not enough new investors to support the returns that were promised to earlier participants. 

The fraudsters mostly use the latest technologies or trends, like virtual currencies, to make their schemes seem more legitimate or innovative. Cryptos like Bitcoin (BTC) are becoming more and more popular, and they are increasingly used in Ponzi and other fraudulent schemes. 

Source: https://coinpaper.com/5723/radiant-capital-halts-lending-after-50-million-security-breach