- Radiant Capital suffered a $50M loss in a cyberattack attributed to the DPRK-linked UNC4736 group.
- Attackers used sophisticated malware and social engineering to bypass security protocols.
- The incident highlights critical vulnerabilities in DeFi security, urging the adoption of hardware-level transaction verification across the industry.
Radiant Capital has confirmed new findings surrounding the devastating $50 million cyberattack it suffered on October 16, 2024. An investigation by cybersecurity firm Mandiant identified the attackers as UNC4736, a North Korea-linked threat group connected to the nation’s Reconnaissance General Bureau (RGB).
This is another alarming rise in the sophistication of cyberattacks targeting decentralized finance (DeFi), showing the urgent need for stronger security measures in the industry.
How the Attack Unfolded
The attack was set in motion on September 11, 2024, when a Radiant developer received a seemingly normal Telegram message from someone posing as a former contractor. The message had a ZIP file, supposedly showcasing the contractor’s work in smart contract auditing. But it contained a sophisticated malware called INLETDRIFT .
This malware, disguised as a legitimate PDF file, established a macOS backdoor on the victim’s device and connected it to an external domain controlled by the attackers. Over subsequent weeks, UNC4736 deployed malicious smart contracts across Arbitrum, Binance Smart Chain, Base, and Ethereum, meticulously planning the heist.
Although Radiant followed standard security protocols, such as transaction simulations using Tenderly and payload verification, the attackers used vulnerabilities in front-end interfaces to manipulate transaction data. By the time the theft happened, the hackers had concealed their actions well, making detection nearly impossible.
Attribution and Tactics
UNC4736, also known as AppleJeus or Citrine Sleet, is a well-known threat group linked to DPRK’s TEMP.Hermit. The group focuses on cyber financial crimes, often using highly advanced social engineering techniques to infiltrate systems. Mandiant attributes this attack to the group with high confidence, because of their use of state-level tactics.
The stolen funds were moved within minutes of the theft, and all traces of malware and browser extensions used during the attack were wiped clean.
A Wake-Up Call for DeFi Security
This breach highlights the vulnerabilities in current DeFi security practices, particularly reliance on blind signing and front-end transaction verifications. Radiant Capital has called for an industry-wide shift toward hardware-level transaction verification to prevent similar incidents.
Radiant DAO is working with Mandiant, zeroShadow, Hypernative, and U.S. law enforcement to track and recover the stolen funds. Efforts continue, and the organization plans to share its findings to improve security standards for the broader crypto ecosystem.
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.