Radiant Capital, a decentralized finance (DeFi) platform, has revealed that North Korean hackers were behind the $50 million heist that took place in October 2024. The attack, which unfolded on October 16, targeted the project’s multi-signature emissions adjustment process after three of its developers were infected with sophisticated malware.
How the Attack Unfolded
The breach began when one developer received a seemingly innocent Telegram message from a trusted former contractor, containing a link to a zipped PDF. This document, disguised as a job opportunity for smart contract auditing, was shared among developers for feedback. Opening the file led to the infection of multiple devices with a backdoor known as Inletdrift.
Once the malware was deployed, the attackers used the compromised devices to sign fraudulent transactions without raising suspicion. The Safe{Wallet} verification system displayed what appeared to be legitimate transactions, while in the background, the attackers drained $50 million from Radiant Capital’s core markets.
The attackers also exploited open approvals in user accounts, withdrawing additional funds. Despite traditional checks and simulations showing no discrepancies, the malware’s sophistication made the threat invisible during normal review procedures.
The Role of North Korean Hackers
Following an investigation by Mandiant, the attack was linked to a North Korean threat actor, identified as UNC4736 (also known as AppleJeus or Citrine Sleet). This group is associated with Pyongyang’s primary foreign intelligence service, the Reconnaissance General Bureau (RGB). Mandiant has high confidence in attributing the attack to this North Korean-linked hacking group.
The malicious smart contracts were executed on major blockchain networks, including Arbitrum, Base, Binance Smart Chain, and Ethereum. The hackers took immediate steps to cover their tracks, removing traces of the backdoor and related browser extensions after executing the heist.
Impact and Aftermath
Radiant Capital’s post-mortem, published on October 18, emphasized the complexity and stealth of the attack. The breach occurred in stages, starting with the initial infection in September, and culminated in significant financial losses. Despite extensive checks, the fraudulent activities were not detected until after the damage was done.
The attack highlights growing concerns about the security vulnerabilities in the DeFi space, particularly involving sophisticated malware and social engineering tactics. The Radiant Capital incident serves as a stark reminder of the risks associated with decentralized platforms and the increasingly sophisticated methods used by state-sponsored hackers to target the cryptocurrency and blockchain industries.
As the investigation continues, Radiant and its users are left to grapple with the financial and reputational damage caused by the attack, while the global cybersecurity community watches closely for further developments.
