DPRK-Linked Hackers Behind $50M Exploit of Radiant Capital, Report Reveals

A new report from Radiant Capital has revealed that a state-backed hacking group from North Korea was responsible for the $50 million exploit of the decentralized finance (DeFi) platform. According to the findings, the attackers used sophisticated social engineering tactics to carry out the attack, targeting Radiant's developers with a malicious file that ultimately led to a compromise of their hardware wallets.

The report, which was conducted in collaboration with cybersecurity firm Mandiant, confirmed that the hack was perpetrated by a DPRK-aligned threat actor, believed to be part of the UNC4736 group—also known as Citrine Sleet. This group is notorious for its previous exploits, including the development of the AppleJeus malware.

The attackers employed a clever ruse, impersonating a trusted former contractor of Radiant Capital to gain access to the system. Through the messaging platform Telegram, the attacker sent a zipped PDF file, claiming to be a report on a recent smart contract audit project. Given the routine nature of such file exchanges in professional settings, the file appeared to be legitimate and was shared with other developers for feedback.

However, the zip file contained the INLETDRIFT malware, which created a backdoor on the developers' macOS devices. This allowed the hacker to compromise the hardware wallets of at least three Radiant developers. In the attack, which took place on October 16, the malware manipulated the front-end interface of Safe{Wallet} (formerly Gnosis Safe), displaying legitimate transaction data while executing malicious transactions in the background without the developers' knowledge.

Radiant Capital emphasized that despite following best practices and industry-standard procedures like Tenderly simulations and payload verification, the hackers were still able to infiltrate the system. The report from Mandiant attributes the attack with high confidence to a North Korean hacker group tied to the country’s Reconnaissance General Bureau, which has long been linked to cryptocurrency-focused hacks.

This incident is part of a broader trend of increasingly complex attacks by North Korean hacking groups. These groups have been targeting crypto firms and exchanges for years, stealing billions of dollars in cryptocurrency, which is believed to be used to fund North Korea's nuclear weapons program. Recent reports also highlighted how the same group managed to infiltrate IT systems in prominent companies, stealing over $10 million in just six months.

The $3 billion in cryptocurrency stolen by these state-sponsored hackers between 2017 and 2023 underscores the growing sophistication and scope of their operations. The latest exploit against Radiant Capital serves as another stark reminder of the persistent threat posed by North Korean cyber actors in the cryptocurrency space.