Radiant Says $50 Million Hackers Were North Korean

Reading Time: 2 minutes
  • Radiant Capital has suffered a $50 million cyberattack attributed to North Korean hackers
  • The breach was initiated through a phishing scheme involving a malicious file sent via Telegram
  • The attackers compromised developer devices, enabling unauthorized transactions that drained funds from the platform

Radiant Capital, the decentralized finance (DeFi) platform which experienced a $50 million breach in October, has revealed that the theft was carried out by North Korean state actors. By compromising the devices of key developers, the attackers executed unauthorized transactions, effectively siphoning funds from the platform. In a post-mortem, the platform has revealed that its investigations have confirmed that it was targeted by the rogue state as part of its ongoing campaign against crypto entities.

$50 Million Loss

On September 11, 2024, a Radiant developer received a Telegram message appearing to be from a former contractor, requesting feedback on a new project. The message included a ZIP file containing a PDF, which, when opened, installed malware known as INLETDRIFT on the developer’s device.

This malware established a backdoor, allowing attackers to gain persistent access to the system. Radiant Capital noted that such requests are common in professional settings, which contributed to the initial lack of suspicion.

The malware spread to multiple developer devices, enabling attackers to manipulate transaction data. Front-end interfaces displayed legitimate information while malicious transactions were processed in the background.

Traditional security measures, including transaction simulations and payload verification, failed to detect the intrusion. Radiant Capital stated, “This deception was carried out so seamlessly that even with Radiant’s standard best practices… the attackers were able to compromise multiple developer devices.”

North Korean Hackers Identified

Cybersecurity firm Mandiant, engaged by Radiant Capital to investigate the breach, attributed the attack to UNC4736, also known as Citrine Sleet or AppleJeus, a group linked to North Korea’s Reconnaissance General Bureau.

Mandiant assessed with high confidence that the threat actor was aligned with the Democratic People’s Republic of Korea (DPRK). This group has been implicated in previous cyberattacks targeting cryptocurrency platforms to generate revenue for the North Korean regime.

The Radiant Capital incident underscores the evolving threats facing DeFi platforms and highlights the limitations of existing security measures. The attackers’ ability to bypass standard protocols and compromise multiple devices without detection calls for enhanced vigilance and improved security practices across the industry.

Radiant Capital emphasized the urgent need for industry-wide improvements in transaction verification practices to prevent similar breaches in the future.

Share