Cybersecurity firm Mandiant has concluded with “high confidence” that the hacker responsible for draining $50 million from Radiant Capital’s decentralized finance (DeFi) platform is linked to North Korea. The hack, which occurred earlier this year, was revealed in a report on December 6, where Mandiant traced the attack to a North Korea-affiliated threat actor, with ties to the Democratic People’s Republic of Korea (DPRK).
The breach began on September 11, when a Radiant developer received a Telegram message seemingly from a trusted former contractor. The message contained a zip file requesting feedback on a new project, which, unbeknownst to the developer, carried malware designed to compromise the platform’s security.
Radiant Capital disclosed that the zip file, believed to have been sent by a DPRK-linked hacker impersonating the contractor, contained malware that went undetected at first. Once the file was shared among the development team, it triggered a chain of events that ultimately led to the attack. The malware infected multiple developer devices, allowing the attackers to manipulate data and control several private keys and smart contracts. This breach prompted Radiant to halt its lending markets on October 16.
Despite the initial confusion, Radiant confirmed that the zip file, which appeared to contain PDF documents, did not raise immediate suspicions. Reviewing PDFs in professional environments is a standard practice, and the file’s domain name was designed to closely resemble the contractor’s legitimate website, adding another layer of deception.
“The threat was virtually invisible during normal review stages,” Radiant stated. “Even with our standard best practices and industry-standard procedures, the attackers successfully compromised multiple developer devices.”
The attackers, identified as “UNC4736” or “Citrine Sleet,” are believed to be affiliated with North Korea’s Reconnaissance General Bureau (RGB), and may also be connected to the infamous Lazarus Group. The Lazarus Group has been implicated in several major cyberattacks, including the theft of an estimated $3 billion in cryptocurrency between 2017 and 2023.
After the breach in October, around $52 million worth of cryptocurrency was moved by the hackers on October 24. Radiant Capital emphasized that the attack is a stark reminder of the evolving threats facing the DeFi sector and the limitations of current security measures in detecting sophisticated cyberattacks.
Previous Attacks on Radiant and North Korean Cyberattacks
Radiant Capital Incident Update
A detailed update on the October 16 incident is now available, with Mandiant’s ongoing investigation attributing the attack with high confidence to a Democratic People’s Republic of Korea (DPRK)-linked threat actor.
The report sheds light…
— Radiant Capital (@RDNTCapital) December 7, 2024
This isn’t the first time Radiant has been targeted. In January, the platform was hit with a $4.5 million flash loan exploit, which similarly resulted in the suspension of its lending markets.
Additionally, North Korea has been implicated in previous high-profile cryptocurrency heists. In 2019, the country was accused of orchestrating a hack on South Korea’s Upbit exchange, resulting in the theft of 342,000 ETH, then valued at $41.5 million. The stolen funds are now worth over $1 billion, marking one of the largest cryptocurrency thefts tied to North Korea, according to the South Korean National Police Agency.
The Radiant Capital hack and similar incidents highlight the ongoing challenges in securing decentralized finance platforms, with experts warning that the threat of state-sponsored cyberattacks will continue to grow.
