Radiant Capital North Korea Ex-Contractor for Hacking $50 Million

Radiant Capital said in October that a $50 million hack of its decentralized finance (deFi) platform was carried out by a hacker with ties to North Korea who pretended to be a former contractor via Telegram.

Radiant said in a Dec. 6 update on the ongoing investigation that its contractor, Mandiant, a cybersecurity firm, “assesses with a high degree of confidence that this attack originated in the Democratic Republic of Korea (DPRK) – a communications threat actor.”

The platform said a Radiant developer had received a Telegram message in a ZIP file from a trusted former contractor on September 11, asking him to comment on a new effort he was planning.

“After review, it is suspected that this message came from a DPRK-linked threat actor impersonating the former contractor,” it said. “When this zip file was shared with feedback from other developers, it eventually released malware that facilitated further intrusions.”

On October 16, the DeFi platform was forced to shut down its lending market after a hacker compromised the private keys and smart contracts of several signatories. North Korean hacking groups have long targeted crypto platforms to steal $3 billion between 2017 and 2023.

Radiant said the file did not raise any further suspicions because “requests to review PDFs are common in professional settings” and developers “frequently share documents in this format.”

The domain associated with the zip file also spoofed the contractor's legitimate website.

Several Radiant developer tools were compromised during the attack, and malicious transactions were signed in the background while front-end interfaces displayed good transaction data.

“Traditional checks and simulations did not show any clear differences, which makes the threat invisible in the normal assessment standards,” he added.

“This deception was executed so seamlessly that Radiant's standard best practices such as impersonating transactions in Tenderly, validating payment information, and following industry-standard SOPs at every step allowed the attackers to compromise multiple developer tools,” he wrote. .

The Radiant Capital threat actor — also known as “UNC4736,” also known as “Citrine Sleet” — is believed to be aligned with and possibly a subsidiary of North Korea's main intelligence agency, the Reconnaissance General Bureau (RGB). The Lazar Group hacking team.

The hackers moved about $52 million of the stolen funds on October 24.

“This incident indicates that strict SOPs, hardware wallets, impersonation tools like Tenderly and careful human evaluation can be bypassed by highly sophisticated threat actors,” Radiant Capital wrote in the update.

Related: Radiant Capital Makes $58M in Expensive ‘Lesson' for DeFi Hacking

“Relying on blind signatures and front-end authentication requires robust hardware-level solutions that can be fooled and want to authenticate transaction loads,” he added.

This is not the first time Radiant has been attacked this year. The platform shut down credit markets in January following a $4.5 million flash loan scam.

After the two exploits this year, Radiant's total value dropped significantly, from more than $300 million at the end of last year to about $5.81 million as of Dec. 9, Defillama said.

Magazine: BTC Hits $100K, Trump Taps Paul Atkins for SEC Chair, and More: Hodler's Digest, December 1 – 7