Radiant Capital has provided new details about the sophisticated cyberattack it suffered on October 16, 2024, which led to the theft of assets worth approximately $50 million in cryptocurrency. According to the decentralized finance (DeFi) firm, they are working with top cybersecurity experts and law enforcement to unravel the intricacies of the attack and recover the stolen funds.
A forensic investigation conducted by Mandiant, a global cybersecurity firm they contracted, uncovered the use of advanced tactics by the attackers, believed to be linked to the Democratic People’s Republic of Korea (DPRK), also known as North Korea. Radiant’s community-led DAO has also enlisted the help of zeroShadow and Hypernative for on-chain tracking of assets and SEAL 911 for additional support.
How the attack happened
On September 11, 2024, a Radiant developer received a Telegram message purportedly from a former contractor. The message, which appeared legitimate, included a zip file supposedly containing details of a new smart contract auditing project. Unbeknownst to the developers, the file contained a sophisticated malware named INLETDRIFT. Once opened, it established a backdoor on macOS systems, all while displaying an authentic-looking PDF.
The attackers exploited this backdoor to compromise multiple developer devices. Despite Radiant’s use of tools like Tenderly for transaction simulations and rigorous verification processes, the malware enabled the signing of unauthorized transactions without raising suspicion.
In the weeks leading up to the breach, the hackers staged malicious smart contracts across multiple blockchains, including Arbitrum, Binance Smart Chain, Base, and Ethereum. Within minutes of executing the heist, they erased traces of the attack.
Perps, lessons and Radiant’s response
Mandiant attributes the attack to UNC4736, a hacking group tied to North Korea’s Reconnaissance General Bureau. Known for targeting financial institutions globally, this group’s involvement is indicative of the increasing sophistication of threats facing the DeFi sector.
According to Radiant Capital, the incident has necessitated the need for stronger security measures across the industry. The reliance on front-end verifications and traditional transaction checks is no longer sufficient. Thus, the industry must adopt hardware-level solutions to validate transaction payloads and prevent similar breaches, especially as the growing threat of state-backed attacks becomes commonplace.
Radiant Capital has pledged full cooperation with U.S. law enforcement and other agencies in efforts to recover the stolen assets. The platform is also sharing insights from the attack to help strengthen security protocols across the DeFi ecosystem.
This breach serves as a stark reminder of the vulnerabilities within the rapidly growing DeFi space, indicating the urgent need for innovative solutions to combat evolving threats.
