Published on: December 18, 2024
Radiant Capital, a decentralized finance (DeFi) project, has confirmed that a North Korean threat actor orchestrated the $50 million heist it suffered in October.
The revelation comes after an in-depth investigation involving cybersecurity firm Mandiant, which attributed the attack to a group tracked as UNC4736, also known as AppleJeus or Citrine Sleet.
The breach occurred on Oct. 16, when attackers exploited a routine multi-signature emissions adjustment process. Malware-infected devices belonging to three developers were used to sign fraudulent transactions.
Radiant’s post-mortem report revealed that the attackers manipulated Safe{Wallet}’s transaction verification process to show legitimate transactions while siphoning funds in the background.
This led to the loss of approximately $50 million from Radiant’s core markets. The hackers further exploited open approvals to withdraw additional funds directly from user accounts.
The groundwork for the attack began in September when a Radiant developer received a Telegram message from someone impersonating a trusted former contractor. The message included a link to a zipped PDF, allegedly containing details about a smart contract auditing job opportunity.
Believing the request to be legitimate, the developer shared the file with colleagues, inadvertently infecting multiple devices with a backdoor malware known as Inletdrift. This malware allowed the attackers to remain undetected for weeks, eventually staging their heist across Arbitrum, Base, Binance Smart Chain, and Ethereum.
“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background,” Radiant said. “Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”
Mandiant’s investigation attributed the attack to UNC4736, a North Korean group linked to the Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence service.
“Although the investigation is ongoing, Mandiant assesses with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor,” Radiant noted.
In response to the attack, Radiant has emphasized the need for heightened vigilance in the DeFi ecosystem.
DeFi projects are now urged to implement more rigorous security protocols, including multi-layered verification processes, malware detection systems, and secure communication channels to mitigate similar risks in the future.