Radiant: North Korea impersonated former contractor to carry out $50 million hack

Author: Stephen Katte, CoinTelegraph; Compiler: Tao Zhu, Golden Finance

Radiant Capital said that its decentralized finance (DeFi) platform was hacked in October, with a loss of $50 million. The hackers sent malware via Telegram, which was implemented by a hacker aligned with North Korea posing as a former contractor.

Radiant said in an investigation update on December 6 that its contracted cybersecurity firm Mandiant had assessed "with high confidence that the attack was carried out by a threat actor linked to North Korea."

The platform said that on September 11, a Radiant developer received a Telegram message containing a zip file from a "trusted former contractor" asking for feedback on a new project they were planning.

“Upon review, the message was suspected to be from a North Korea-aligned threat actor posing as a former contractor,” it said. “This ZIP file, when shared among other developers for feedback, ultimately spread malware, facilitating subsequent intrusions.”

On October 16, a hacker took control of the private keys and smart contracts of multiple signers, forcing the DeFi platform to suspend its lending market. North Korean hacking groups have long targeted cryptocurrency platforms and stole $3 billion worth of cryptocurrency between 2017 and 2023.

Source: Radiant Capital

Radiant said the file did not raise any additional suspicions because "requests to review PDFs are routine practice in professional environments" and developers "often share documents in this format."

The domain associated with the ZIP file also spoofed the contractor's legitimate website.

Multiple Radiant developer devices were compromised during the attack, with the front-end interface displaying benign transaction data while malicious transactions were signed in the background.

“Traditional inspection and simulation revealed no discernible differences, making the threat virtually invisible during normal review phases,” it added.

“The deception was so seamlessly executed that the attacker was able to compromise multiple developer devices even with Radiant’s standard best practices, such as simulating transactions in Tenderly, validating payload data, and following industry standard SOPs at every step,” Radiant wrote.

An example of a phishing PDF that a malicious hacking group might use. Source: Radiant Capital

Radiant Capital believes the threat actor responsible for the case is known as “UNC4736,” also known as “Citrine Sleet” — believed to be linked to the Reconnaissance General Bureau (RGB), North Korea’s main intelligence agency, and speculated to be a branch of the hacker group Lazarus Group.

The hackers moved approximately $52 million in stolen funds on October 24.

“This incident demonstrates that even strict SOPs, hardware wallets, emulation tools such as Tenderly, and careful human review can be bypassed by highly advanced threat actors,” Radiant Capital wrote in its update.

“The reliance on blind signatures and front-end verification that can be spoofed requires the development of more robust hardware-level solutions to decode and verify transaction payloads,” it added.

This is not the first time Radiant has been attacked this year. The platform suspended its lending market in January due to a $4.5 million flash loan breach.

After two exploits this year, Radiant’s total locked value has dropped significantly, from more than $300 million at the end of last year to around $5.81 million on December 9, according to DefiLlama.