Web3 security firms have confirmed North Korea’s role in the Radiant Capital hack

Radiant Capital has revealed new findings from a $50 million hack that targeted a decentralized finance (DeFi) platform in October, which it blamed on a hacking group linked to North Korea.

The attackers gained access through a wide variety of methods that included malware distributed over Telegram.

$50M Radiant Capital DeFi Hack

The breach, first discovered on October 16, 2024, prompted Radiant to partner with cybersecurity firms such as Mandiant, zeroShadow, Hypernative, and SEAL 911 to investigate and mitigate the damage.

According to the official blog post, the attack started in 2018. On September 11, 2024, a Radiant developer received a telegram message from someone posing as a former contractor. The message, designed to look innocuous, asked for feedback on a PDF file it claimed was related to work related to smart contract auditing.

The sender reduces suspicion and plausibly spoofs a legitimate website. Once the file, titled Penpie_Hacking_Analysis_Report.zip, is opened, a macros background malware called INLETDRIFT is accessed. The malware connected to an external server and appeared harmless, displaying a valid PDF.

While Radiant adheres to strict security protocols, including transaction tokens and payment authentication, the malware was able to avoid detection by matching front-end transaction data. Developers unwittingly sign malicious transactions, believing them to be legitimate. The attackers' plan made the raid undetectable during routine inspections.

zeroShadow, a provider of Web3 security solutions, also confirmed that the Radiant Capital hack was the work of actors with ties to North Korea. In a statement issued by the platform on December 9,

“Also, based on several indicators we collected on and off-chain, we attribute the October 16 incident of Radiant Capital to the DPRK. We traced the move to HyperLiquid to the failure of Radiant users to revoke licenses, not the initial incident of stolen funds.”

Radiant's TVL is down more than 97% this year

Radiant Capital is a decentralized lending and borrowing protocol that integrates cross-chain capabilities using LayerZero technology. Defilama's latest figures put its total value locked (TVL) at just over $6 million.

The October 16 hack is not the first time Radiant has been attacked this year. In January, smart contract exposure was leveraged, costing the platform $4.5 million, at which point its TVL rose sharply to more than $300 million, a bull run despite a sharp drop in locked-in assets over the year.