Radiant Capital Links $50M Hack to North Korean Hacker Group

Highlights:

• Radiant Capital has identified North Korean hackers as the group behind its $50 million DeFi breach.
• Hackers used malware via Telegram to compromise Radiant developers and steal private keys and smart contracts.
• North Korean groups target crypto platforms with scams, stealing billions to fund state operations and weapons programs.

Radiant Capital has confirmed the group behind its October breach. Stolen funds from the attack amounted to $50 million. Investigators have blamed the hack on UNC4736, which is also known as Citrine Sleet.  

📢JUST IN: RADIANT CAPITAL CONFIRMS $50M DEFI HACK IN OCTOBER WAS EXECUTED BY NORTH KOREA-LINKED HACKERS USING TELEGRAM MALWARE

— BSCN Headlines (@BSCNheadlines) December 9, 2024

The group is affiliated with North Korea’s Reconnaissance General Bureau which is a key intelligence agency. Radiant’s cybersecurity partner, Mandiant, verified the hack. The attackers used advanced social engineering tactics to execute the breach.  

Radiant disclosed that the attackers manipulated transactions and bypassed multiple layers of security. This breach highlights the risks faced by decentralized finance (DeFi) platforms globally.  

How the Attack Happened

The breach started with a Telegram message to a Radiant developer on September 11. The threat consisted of the use of a zip file by the sender, who impersonated a trusted former contractor. The file seemed routine but contained sophisticated malware. The developer unknowingly spread the malware across colleagues.

The malware allowed hackers to access private keys and smart contracts.   Through this access, the attackers were able to manipulate transaction data to steal funds. The breach was detected by Radiant Capital on October 16 and they immediately suspended their lending markets. By October 24, the hackers had drained $52 million in cryptocurrencies.  

The stolen funds included $16 million from BNB Chain and other funds from Arbitrum. Even with advanced tools, the attack was undetected until the breach had been completed.  

The Impact on Radiant Capital and DeFi

The breach caused significant damage to the operations and reputation of the company. The platform’s total value locked (TVL) dropped from over $300 million last year to $5.76 million. 

The attack exposed vulnerabilities in DeFi security protocols. Hackers bypassed hardware wallets, simulations, and other verification processes. They used poisoned signatures that appeared legitimate during authorization checks.  

The involvement of North Korea gives the incident a geopolitical dimension. Since 2017, its hackers have stolen over $3 billion in cryptocurrency. The stolen funds are believed to be used to support state operations such as weapons programs.  

Radiant’s Response and Insights from Cyberwarcon

U.S. law enforcement and cybersecurity firms are working with Radiant Capital to recover the stolen assets. The company has also implemented more stringent protocols to avoid future breaches. Now, developers must double-check transactions using tools such as Etherscan. The platform is exploring hardware-based solutions to improve security at the device level. These measures aim to address vulnerabilities exploited by advanced threat actors.  

The recent Cyberwarcon report shed light on North Korea’s cyber operations. Researchers highlighted ongoing scams targeting cryptocurrency and corporate sectors. Hackers often impersonate job seekers or investors to infiltrate systems.  

Sapphire Sleet and Ruby Sleet play major roles in these campaigns. Sapphire Sleet specializes in stealing cryptocurrency using fake job offers, and Ruby Sleet aims to steal sensitive information from the aerospace and defense industries.  

The report states that Sapphire Sleet stole at least $10 million in cryptocurrency over six months. The report warns that the sophistication of these hacking operations is increasing. These evolving tactics can be very dangerous for both private companies and DeFi platforms globally.