On October 16, 2024, Radiant Capital, a cross-chain decentralized lending protocol built on LayerZero, fell victim to a sophisticated cyberattack resulting in losses of up to $50 million.
The attack has been linked to hackers from North Korea, marking another alarming chapter in the wave of cybercrime that is focusing on DeFi (DeFi).
The report connects North Korean actors to the Radiant Capital incident
One report from OneKey, a Coinbase-backed crypto hardware wallet manufacturer, confirmed the attack was carried out by North Korean hackers. This report is partly from a post on Medium of Radiant Capital, provided an update on the October 16 incident.
According to the report, Mandiant, a leading cybersecurity company, continues to link this incident to UNC4736, a North Korea-affiliated group also known as AppleJeus or Citrine Sleet. The group operates under the Reconnaissance General Staff (RGB), North Korea’s main intelligence agency.
Mandiant’s investigation revealed that the attackers had carefully planned their operation. They established malicious smart contracts on multiple blockchain networks such as Arbitrum, Binance Smart Chain, Base, and Ethereum. This effort reflects the advanced capabilities of North Korean-backed threat actors in targeting the DeFi industry.
The intrusion began with a phishing attack on September 11, 2024. A Radiant Capital developer received Telegram messages from an individual pretending to be a trusted contractor. The message includes a zip file that allegedly contains a smart contract audit report. This file, “Penpie_Hacking_Analysis_Report.zip,” was infected with malware called INLETDRIFT, a backdoor on macOS that allowed unauthorized access to Radiant’s systems.
When the developer opens the file, it appears as a legitimate PDF. However, the malware silently installed and established a backdoor connection to the malicious domain atokyonews[.]com, allowing attackers to spread malware further across Radiant’s fleet, gaining access to sensitive systems.
The hacker strategy culminated in the man-in-the-middle (MITM) attack. By exploiting the compromised devices, they intercepted and manipulated transaction requests in Radiant’s Gnosis Safe Multisig wallets. Although these transactions appeared legitimate, malware covertly modified them to execute Transfer Ownership orders, taking control of Radiant’s loan pool contracts.
Committed heist, impact on industry and lessons learned
While Radiant followed the best standards, such as using hardware wallets, transaction simulations, and verification tools, the attackers’ methods bypassed all defenses. Within minutes of taking possession, hackers drained funds from Radiant’s lending pools, causing heavy losses to the platform and its users.
The attack on Radiant Capital is a stern warning to the DeFi industry. Even projects that comply with strict security standards can fall prey to sophisticated threats. The incident highlighted many important vulnerabilities, including:
- Phishing Risk: The attack begins with a convincing impersonation scheme, highlighting the need for extreme vigilance against unsolicited file sharing.
- Signed but not seen: While necessary, hardware wallets often only display basic transaction details, making it difficult for users to detect malicious modifications. Innovative hardware-level solutions are needed to decrypt and authenticate transaction payloads.
- Interface Security: The reliance on interfaces to verify transactions has proven insufficient. Fake interfaces allow hackers to manipulate transaction data without detection.
- Weaknesses in Administration: The lack of redemption mechanisms left Radiant’s contracts vulnerable. Implementing a time lock or requiring a transfer delay could provide critical response time during future incidents.
In response to this incident, Radiant Capital partnered with leading cybersecurity companies, including Mandiant, zeroShadow and Hypernative, to support investigation and asset recovery. Radiant DAO’s team is also working with US law enforcement to track down and freeze the stolen funds.
In the Medium post, Radiant also reaffirmed its commitment to sharing lessons learned and improving security for the entire DeFi industry. The DAO team emphasizes the importance of adopting strong governance frameworks, strengthening device-level security, and staying away from risky practices like invisible signing.
“It looks like everything may have stopped at step 1,” said one user on X comment.
The Radiant Capital incident parallels a recent report indicating that North Korean hackers continue to change their tactics. As cybercriminals become more sophisticated, the industry needs to adapt by prioritizing transparency, strong security measures, and collaborative efforts to combat such attacks.
