Penelope Iroko Table of Contents
In a chilling display of cyber sophistication, the Radiant Capital hack resulted in the theft of $50 million, with investigations pointing to a North Korean threat group as the culprit.
The decentralized finance (DeFi) platform revealed that this massive heist involved advanced malware, fraudulent transactions, and an elaborate scheme that bypassed standard security checks.
Key Takeaway to Radiant Capital Hack::
- The Radiant Capital hack highlights the growing threat of North Korean cyberattacks targeting the DeFi sector, underscoring the need for stronger cybersecurity measures.
How the Radiant Capital Hack Unfolded
Radiant Capital disclosed that the attack occurred on October 16, 2024, during a routine multi-signature emissions adjustment process. The attack was executed with chilling precision:
- Malware Compromise: Three developers’ devices were infected with sophisticated malware named “Inletdrift.”
- Fraudulent Transactions: The attackers tricked Safe{Wallet} verification systems, displaying legitimate transaction data while performing fraudulent transactions in the background.
- Draining of Funds: Around $50 million was stolen from Radiant Capital’s core markets, with the attackers exploiting open approvals to withdraw funds from user accounts.
How Did the Attackers Pull It Off?
The Radiant Capital attack was a textbook example of how social engineering and advanced malware can devastate a platform:
| Phase | Description |
|---|---|
| Infection | Malware was delivered through a seemingly harmless PDF file. |
| Backdoor Setup | The Inletdrift malware created a hidden access point on developers’ devices. |
| Execution | Malicious smart contracts were executed across multiple blockchains. |
| Cleanup | Attackers removed evidence, making detection and recovery difficult. |
Timeline of Events
| Date | Event |
|---|---|
| September | Developer received a malicious Telegram message. |
| October 16 | Fraudulent transactions executed by attackers. |
| October 18 | Radiant released a post-mortem analysis. |
A Deceptive Start
The Radiant Capital hack began a month before the heist when a developer received a Telegram message from someone posing as a trusted former contractor.
The message included a link to a zipped PDF, supposedly related to smart contract auditing.
Believing the request to be genuine, the developer shared the file with colleagues. Unbeknownst to them, the file contained the Inletdrift backdoor, which allowed the attackers to infiltrate multiple devices.
This backdoor enabled hackers to:
- Plant malicious smart contracts across Arbitrum, Base, Binance Smart Chain, and Ethereum.
- Hide their tracks by removing traces of the malware and browser extensions post-attack.
Who Was Behind the Attack?
The investigation, led by Mandiant, identified the perpetrators as UNC4736, a North Korean threat group also known as AppleJeus or Citrine Sleet.
This group is linked to Pyongyang’s Reconnaissance General Bureau (RGB), North Korea’s primary foreign intelligence service.
Mandiant’s findings align with previous attacks by UNC4736, which often target cryptocurrency platforms to fund North Korea’s state programs. Radiant Capital confirmed Mandiant’s high-confidence assessment of the group’s involvement.
Why Was the Radiant Capital Hack So Effective?
The Radiant Capital hack succeeded because of the attackers’ meticulous planning and advanced techniques:
- Malware Sophistication: The Inletdrift backdoor bypassed traditional security measures, allowing attackers to stage the heist without detection.
- Social Engineering: By posing as a trusted contractor, the attackers gained access to Radiant’s internal systems.
- Technical Mastery: The malicious transactions were disguised as legitimate, fooling wallet verification systems and traditional checks.
Learning from Past Attacks
This isn’t the first time a DeFi platform has been targeted by North Korean hackers. In 2022, the Ronin Network suffered a similar fate, losing $600 million to hackers linked to the Lazarus Group, another North Korea-backed entity.
Such incidents highlight the urgent need for DeFi platforms to:
- Implement stronger malware detection systems.
- Train employees to recognize phishing and social engineering attempts.
- Regularly audit security protocols to close potential loopholes.
Rounding Up
The Radiant Capital hack serves as a stark reminder of the vulnerabilities within the DeFi ecosystem. North Korean threat groups like UNC4736 continue to refine their techniques, posing significant risks to global financial security.
While Radiant Capital works to recover and secure its systems, the incident underscores the critical need for robust cybersecurity measures across all DeFi platforms. The lesson is clear: staying one step ahead of cybercriminals requires constant vigilance and proactive defense strategies.
About Radiant Capital
Radiant Capital is a decentralized finance (DeFi) platform offering innovative financial solutions. The platform operates across major blockchains, providing users with opportunities to borrow, lend, and earn within the DeFi ecosystem.
FAQ to Radiant Capital hack
What is the Radiant Capital hack?
The Radiant Capital hack refers to a $50 million heist executed by North Korean hackers using malware and fraudulent transactions.
Who is UNC4736?
UNC4736, also known as AppleJeus or Citrine Sleet, is a North Korea-linked cybercrime group targeting cryptocurrency platforms.
How can DeFi platforms protect themselves from such attacks?
Platforms should invest in advanced malware detection, employee training, and regular security audits to reduce vulnerabilities.
Why are North Korean hackers targeting DeFi platforms?
These hackers often use stolen funds to support North Korea’s state programs, bypassing international sanctions.
What should users do to protect their funds on DeFi platforms?
Users should enable two-factor authentication, use hardware wallets, and regularly monitor their accounts for suspicious activity.
