According to Radiant Capital, a North Korean hacker was responsible for the $50 million attack in October and posed as an ex-contractor.
Radiant Capital has disclosed that a $50 million hack on its decentralized finance (DeFi) platform in October was perpetrated by a North Korea-aligned hacker who sent malware via Telegram while posing as an ex-contractor.
In a December 6 update of the ongoing investigation, Radiant stated that its contracted cybersecurity firm, Mandiant, has assessed “with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”
On September 11, the platform reported that a Radiant developer received a Telegram message containing a zip file from a “trusted former contractor” who requested feedback on a new project they were planning.
“This message is suspected to have been sent by a threat actor aligned with the DPRK who is impersonating the former contractor,” it stated upon review. “When this ZIP file was shared for feedback among other developers, it ultimately delivered malware that facilitated the subsequent intrusion.”
After a hacker gained control of numerous signers’ private keys and smart contracts on October 16, the DeFi platform was compelled to suspend its lending markets. North Korean hacking groups have been targeting cryptocurrency platforms for an extended period, and they have stolen $3 billion in cryptocurrency between 2017 and 2023.
Radiant stated that the file did not raise any additional suspicions, as “requests to review PDFs are routine in professional settings” and developers “frequently share documents in this format.”
The legitimate website of the contractor was also spoofed by the domain associated with the ZIP file.
During the attack, numerous Radiant developer devices were compromised, and the front-end interfaces displayed benign transaction data while malicious transactions were signed in the background.
“The threat was virtually invisible during the normal review stages, as traditional checks and simulations revealed no obvious discrepancies,” it continued.
“The attackers were able to compromise multiple developer devices despite Radiant’s standard best practices, which include simulating transactions in Tenderly, verifying payload data, and adhering to industry-standard SOPs at every step because this deception was executed seamlessly,” Radiant wrote.
Radiant Capital suspects that the actor responsible for the threat is “UNC4736,” also known as “Citrine Sleet.” This entity is believed to be affiliated with North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB). It is suspected to be a sub-cluster of the Lazarus Group hacking collective.
On October 24, the hackers relocated approximately $52 million of the stolen funds from the incident.
Radiant Capital stated in its update that “this incident illustrates that even the most stringent SOPs, hardware wallets, simulation tools such as Tenderly, and meticulous human review can be evaded by highly advanced threat actors.”
“The development of more robust, hardware-level solutions for decoding and validating transaction payloads is necessary due to the reliance on blind signing and front-end verifications that can be spoofed,” it stated.
This is not the first instance of Radiant being compromised this year. The platform suspended lending markets in January due to a $4.5 million flash loan exploit.
According to DefiLlama, Radiant’s total value locked has decreased significantly from over $300 million at the end of last year to approximately $5.81 million as of December 9. This decline is the result of the two exploits this year.