Radiant Capital Discloses $50M DeFi Hack Linked to North Korea-Aligned Hacker

Radiant Capital has revealed that the hack that drained $50 million from its decentralized finance (DeFi) platform was orchestrated by a hacker tied to North Korea.

According to an update on December 6, cybersecurity firm Mandiant concluded with “high confidence” that the attack can be attributed to a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

The attack began on September 11 when a Radiant developer received a Telegram message purportedly from a trusted former contractor.

Malware Hidden in Message Caused the Hack

The message included a zip file seeking feedback on a new project.

Radiant stated that the message is now believed to have originated from a DPRK-affiliated hacker impersonating the contractor.

When the file was shared among developers, it unleashed malware that led to the subsequent security breach.

On October 16, the breach escalated as the hackers gained control over several private keys and smart contracts, prompting Radiant to halt its lending markets.

The platform noted that the zip file did not raise immediate concerns as reviewing documents in PDF format is common in professional environments.

Furthermore, the file’s associated domain was crafted to mimic the contractor’s legitimate website, adding to the deception.

The malware compromised multiple developer devices, enabling the attackers to manipulate transaction data.

Radiant explained that front-end interfaces displayed benign information while malicious transactions were processed in the background.

🚨 Radiant Capital Incident Update 🚨

A detailed update on the October 16 incident is now available, with Mandiant’s ongoing investigation attributing the attack with high confidence to a Democratic People’s Republic of Korea (DPRK)-linked threat actor.

The report sheds light…

— Radiant Capital (@RDNTCapital) December 7, 2024

The traditional safeguards employed by the platform, such as simulations in Tenderly and payload verification, failed to detect the intrusion.

“Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages,” it added.

“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices.”

Attackers Believed to be Linked to North Korea

The attackers, identified as “UNC4736” or “Citrine Sleet,” are believed to be linked to North Korea’s Reconnaissance General Bureau (RGB) and may be part of the notorious Lazarus Group.

The group has been implicated in stealing an estimated $3 billion in cryptocurrency between 2017 and 2023.

Following the October hack, approximately $52 million of stolen funds were moved by the hackers on October 24.

Radiant Capital described the incident as a stark reminder of the evolving threats faced by DeFi platforms and the limitations of existing security measures.

This is not the first major attack on Radiant this year.

In January, the platform suffered a $4.5 million flash loan exploit, which also forced the suspension of its lending markets.

As reported, South Korea has accused North Korea of orchestrating the 2019 hack on cryptocurrency exchange Upbit, which resulted in the theft of 342,000 ETH, then valued at $41.5 million.

The stolen funds, now worth over $1 billion, mark one of the largest crypto heists linked to North Korea, the South Korean National Police Agency announced Thursday.