Share this article
Radiant Capital Says North Korean Hackers Behind $50 Million Attack in October
Hackers gained access to a developer’s computer by posing as a former contractor.
Dec 9, 2024, 9:41 a.m.
What to know:
- North Korea is probably behind the Radiant Capital hack in October.
- The hackers were able to gain access by impersonating a former contractor.
- The same group has been linked to other crypto-focused attacks.
DeFi protocol Radiant Capital has attributed a $50 million exploit it suffered in October to North Korean hackers.
According to a report published on Dec. 6, the attackers started laying the groundwork for the Oct. 16 attack in mid-September, when a Telegram message from what appeared to be a trusted former contractor was sent to a Radiant Capital developer.
STORY CONTINUES BELOW
The message said the contractor was pursuing a new career opportunity related to smart contract auditing and was seeking feedback. It included a link to a zipped PDF file, which the developer opened and shared with other colleagues.
The message is now believed to have come from a “DPRK-aligned threat actor” who was impersonating the contractor, according to the report. The file contained a piece of malware called INLETDRIFT that established a persistent macOS backdoor while displaying a legitimate-looking PDF to the user.
Radiant Capital said that traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.
Through access to the computers, the hackers were able to gain control of several private keys.
The North Korean link was identified by cybersecurity firm Mandiant, although the investigation is still incomplete. Mandiant said it believes the attack was orchestrated by UNC4736, a group aligned to the country’s Reconnaissance General Bureau. It is also known as AppleJeus or Citrine Sleet.
The group has been implicated in several other attacks linked to cryptocurrency companies. It has previously used fake crypto exchange websites to trick people into downloading malicious software through links to job openings and fake wallets.
The incident followed an earlier unrelated hack against Radiant Capital in January, during which it lost $4.5 million.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Stripe-Backed Blockchain Tempo Starts Testnet; Kalshi, Mastercard, UBS Added as Partners
Tempo, built by Stripe and Paradigm, has started testing payment-focused blockchain and has onboard a slew of institutional partners.
What to know:
- Stripe and Paradigm’s Tempo blockchain has launched its public testnet for real-world payment testing.
- Kalshi, Klarna, Mastercard and UBS are among a wave of new institutional partners now involved in the project.
- Tempo aims to offer low-cost, fast-settlement infrastructure for global payments as stablecoin adoption is accelerating globally.
Top Stories
