Radiant Capital revealed that a $50 million hack on its decentralized finance (DeFi) platform in October was orchestrated by a North Korean threat actor. The attackers used sophisticated methods, including impersonation and malware delivered via Telegram, to breach the platform.
Hackers Posed as Ex-Contractor to Deliver Malware
According to Radiant Capital’s Dec. 6 investigation update, the attack was attributed to a North Korea-linked group, identified as “UNC4736” or “Citrine Sleet.” The group is believed to operate under North Korea’s main intelligence agency, the Reconnaissance General Bureau (RGB), and is potentially linked to the infamous Lazarus Group.
The incident began on Sept. 11 when a Radiant developer received a Telegram message from someone posing as a trusted former contractor. The attacker sent a ZIP file under the guise of seeking feedback on a project. Radiant explained that this tactic was effective because sharing PDF files for feedback is common in professional settings, and the domain linked to the ZIP file mimicked the contractor’s legitimate website.
Once the malware was downloaded, multiple developer devices were compromised. By Oct. 16, hackers had gained control of private keys and smart contracts, forcing Radiant to suspend its lending markets.
Advanced Techniques Rendered Traditional Security Measures Ineffective
Radiant’s investigation revealed that the hackers seamlessly executed the attack by exploiting blind signing processes and spoofing front-end transaction verifications. While developers conducted simulations and followed best practices, including using tools like Tenderly and verifying payload data, the malicious activities were concealed during routine checks.
“This attack highlights the limitations of existing security measures, even when stringent standard operating procedures (SOPs) and simulation tools are employed,” Radiant said in its statement.
The hackers managed to move $52 million of the stolen funds on Oct. 24. Radiant stressed the need for more robust, hardware-level solutions to enhance the security of transaction payload decoding and validation.
Radiant’s Troubled Year and Its Impact
This hack was not Radiant Capital’s first breach in 2023. In January, the platform suffered a $4.5 million flash loan exploit, forcing it to halt lending markets. These repeated attacks have significantly affected the platform’s reputation and financial health.
Radiant’s total value locked (TVL) has plummeted from over $300 million at the end of 2022 to just $5.81 million as of Dec. 9, according to DeFiLlama.
North Korean hacking groups, particularly those linked to Lazarus Group, have long targeted crypto platforms. Between 2017 and 2023, these groups have stolen an estimated $3 billion in cryptocurrency, making them some of the most active and advanced cybercriminal networks in the space.
