$50 Million Radiant Capital Heist Blamed on North Korean Hackers

In a chilling revelation, decentralized finance (DeFi) project Radiant Capital has confirmed that North Korean hackers orchestrated a $50 million theft in a sophisticated October attack. The breach exploited malware, multi-signature protocols, and a cunning social engineering ploy to siphon off funds from core markets, leaving the platform and its users reeling.

How the Attack Unfolded

The heist began with a targeted phishing scheme in September, according to Radiant's post-mortem report. A developer received a Telegram message from an account impersonating a trusted former contractor. The message contained a zipped PDF file, purportedly related to a smart contract auditing opportunity. The seemingly routine request led to devastating consequences.

When the developer shared the file for feedback, multiple devices became infected with Inletdrift, a backdoor malware. The malicious program enabled attackers to monitor and manipulate the developers’ systems, setting the stage for the October 16 breach. By infecting three core developers, the hackers gained access to Radiant’s multi-signature wallet during a routine emissions adjustment process.

A Deceptive Operation

The attackers executed fraudulent transactions without raising red flags, thanks to a subversive trick that deceived Radiant’s Safe{Wallet} verification system. The wallet interface displayed legitimate transaction data to developers, masking the malicious activities occurring in the background.

Radiant disclosed that the stolen funds were withdrawn from user accounts via open approvals. In a statement, the company explained:

“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”

The hackers deployed malicious smart contracts across multiple blockchain networks, including Arbitrum, Base, Binance Smart Chain, and Ethereum. Once the heist was completed, they swiftly removed traces of the malware and related browser extensions to cover their tracks.

Attribution to North Korean Hackers

The cybersecurity firm Mandiant, which investigated the breach, attributed the attack to a North Korean state-backed threat actor known as UNC4736. The group, also referred to as AppleJeus or Citrine Sleet, operates under Pyongyang’s Reconnaissance General Bureau (RGB), a foreign intelligence agency. Mandiant stated:

“Although the investigation is ongoing, Mandiant assesses with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”

UNC4736 has a history of targeting cryptocurrency platforms to fund North Korea’s regime and evade international sanctions. The group is infamous for using fake job offers and malicious documents to infiltrate organizations, a tactic mirrored in the Radiant Capital attack.

The Fallout and Lessons Learned

The heist dealt a severe blow to Radiant Capital, draining its liquidity and damaging user trust. While the project has since bolstered its security protocols, the incident highlights the vulnerabilities inherent in DeFi platforms.

Key takeaways for users and developers include:

1. Beware of Social Engineering: Always verify unexpected messages, especially those involving job offers or file downloads.
2. Harden Multi-Signature Processes: Strengthen the review mechanisms for multi-signature transactions to detect potential anomalies.
3. Invest in Malware Detection: Use advanced threat detection tools to identify backdoor malware and other sophisticated threats.

The Radiant Capital heist is a stark reminder of the growing sophistication of cybercriminals, particularly state-sponsored groups like North Korea’s UNC4736. As the DeFi ecosystem continues to grow, so does its allure for threat actors seeking high-stakes payouts. Strengthening defenses and fostering vigilance among developers and users will be critical in the ongoing battle to secure decentralized finance.