Web3 security firms have confirmed North Korea's involvement in the $50 million hack of Radiant Capital, revealing sophisticated malware tactics and significant financial losses.
Radiant Capital has confirmed that a recent $50 million hack of its decentralized finance (DeFi) platform was orchestrated by a North Korea-aligned hacking group. The breach, which occurred in October, involved sophisticated malware distributed via Telegram, leading to significant financial losses for the platform.
The hack was first detected on October 16, 2024, prompting Radiant Capital to collaborate with several cybersecurity firms, including Mandiant, zeroShadow, Hypernative, and SEAL 911. The investigation revealed that the attack had roots dating back to September 11, 2024, when a developer received a seemingly innocuous message from an individual impersonating a former contractor.
The message included a link to a PDF file related to smart contract auditing, which was actually a malicious file named Penpie_Hacking_Analysis_Report.zip. Upon opening, this file delivered a macOS backdoor malware known as INLETDRIFT, which communicated with an external server while masquerading as a legitimate PDF document.
Despite Radiant Capital's stringent security measures, including transaction simulations and payload verifications, the malware managed to evade detection. The attackers cleverly manipulated front-end transaction data, leading developers to unknowingly authorize malicious transactions under the impression they were legitimate. This sophisticated planning rendered the intrusion nearly undetectable during routine security checks.
In a statement released on December 9, zeroShadow corroborated Radiant Capital's findings, attributing the hack to North Korean actors with high confidence. They noted that the movements of the stolen funds were traced back to Radiant users who failed to revoke permissions, rather than the initial incident's stolen assets.
Radiant Capital, a decentralized lending and borrowing protocol utilizing LayerZero technology, has seen its total value locked (TVL) drop dramatically. According to recent figures from DefiLlama, the TVL now stands at just over $6 million, a stark contrast to the over $300 million it boasted earlier this year.
This incident is not the first security breach for Radiant Capital in 2024. Earlier in January, a vulnerability in its smart contract led to a loss of $4.5 million, further highlighting the platform's ongoing security challenges despite the overall bullish trend in the cryptocurrency market.
The confirmation of North Korea's involvement in the Radiant Capital hack underscores the growing sophistication of cyber threats in the decentralized finance space. As platforms continue to innovate, the need for robust security measures becomes increasingly critical to protect against such high-stakes attacks.
