Radiant Capital: North Korea Impersonated Former Contractor in $50M Hack
Date: 2024-12-09 Author: Henry Casey Categories: BUSINESS
In a December 6 update, Radiant Capital said that an investigation conducted with the help of cybersecurity firm Mandiant indicated with a high degree of confidence that hackers affiliated with the North Korean Intelligence Agency (NKO) were behind the attack.
The incident began on September 11, when one of Radiant’s developers received a Telegram message from an alleged former contractor asking him to evaluate an attached file. The archive contained malware that was later distributed to other employees.
On October 16, hackers gained access to several private keys and smart contracts on the platform, forcing Radiant to halt its lending operations. According to the company, the infected developers’ devices displayed false transaction data, while real, malicious transactions were signed in the background.
Radiant noted that the ZIP file and its associated domain appeared completely legitimate, and such requests to verify PDF files are common practice. This allowed the hackers to fool even strict security protocols and verification tools like Tenderly.
The hacker group behind the attack is known as UNC4736 or Citrine Sleet, and according to Mandiant, is associated with the Lazarus Group, a group that has long targeted crypto platforms. From 2017 to 2023, similar hackers stole about $3 billion in cryptocurrency.
After the attack, the stolen funds began moving on October 24. Radiant emphasized that this incident highlights the need to develop more robust solutions for verifying transactions at the hardware level, as existing measures, including hardware wallets and transaction simulators, have proven insufficient.
This is the second major breach of Radiant this year. In January, the platform suspended operations after a $4.5 million flash loan attack. The two incidents brought the total amount of funds locked on the platform down from more than $300 million at the end of last year to $5.81 million as of Dec. 9, according to DefiLlama.
