Radiant Capital has said a $50 million hack on its decentralized finance (DeFi) platform in October was carried out through malware sent via Telegram from a North Korea-aligned hacker posing as an ex-contractor.
Radiant said in a Dec. 6 update of the ongoing investigation that its contracted cybersecurity firm Mandiant has assessed “with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”
The platform said a Radiant developer received a Telegram message with a zip file from a “trusted former contractor” on Sept. 11 asking for feedback on a new endeavor they were planning.
“Upon review, this message is suspected to have originated from a DPRK-aligned threat actor impersonating the former contractor,” it said. “This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion.”
On Oct. 16, the DeFi platform was forced to halt its lending markets after a hacker gained control of several signers’ private keys and smart contracts. North Korean hacking groups have long targeted crypto platforms and have stolen $3 billion in crypto between 2017 and 2023.
Radiant said the file didn’t arouse any other suspicions because “requests to review PDFs are routine in professional settings,” and developers “frequently share documents in this format.”
The domain associated with the ZIP file also spoofed the contractor’s legitimate website.
Multiple Radiant developer devices were compromised during the attack, and front-end interfaces displayed benign transaction data while malicious transactions were signed in the background.
“Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages,” it added.
“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices,” Radiant wrote.
Radiant Capital believes the threat actor responsible is known as “UNC4736,” which is also known as “Citrine Sleet” — believed to be aligned with North Korea’s main intelligence agency, the Reconnaissance General Bureau (RGB), and speculated to be a sub-cluster of the hacking collective the Lazarus Group.
The hackers moved about $52 million of the stolen funds from the incident on Oct. 24.
“This incident demonstrates that even rigorous SOPs, hardware wallets, simulation tools like Tenderly, and careful human review can be circumvented by highly advanced threat actors,” Radiant Capital wrote in its update.
“The reliance on blind signing and front-end verifications that can be spoofed demands the development of stronger, hardware-level solutions for decoding and validating transaction payloads,” it added.
It is not the first time Radiant has been compromised this year. The platform halted lending markets in January following a $4.5 million flash loan exploit.
After the two exploits this year, Radiant’s total value locked has dropped significantly, from over $300 million at the end of last year to around $5.81 million as of Dec. 9, according to DefiLlama.