Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

$50 Million Radiant Capital Heist Blamed on North Korean Hackers

Radiant Capital says a North Korean threat actor stole $50 million in assets in a sophisticated October attack.

North Korea cryptocurrency heist

A North Korean threat actor was responsible for the $50 million heist that Radiant Capital fell victim to in October, the decentralized finance (DeFi) project says.

The incident occurred on October 16, after three developers got infected with malware and their devices were used to sign fraudulent transactions during a routine multi-signature emissions adjustment process.

Radiant published a post-mortem on October 18 explaining that the attackers deceived the Safe{Wallet} verification, which displayed legitimate transactions while the fraudulent ones were being performed in the background.

This led to the draining of roughly $50 million from core markets. Subsequently, the attackers exploited open approvals and withdrew funds from user accounts.

Now, Radiant reveals that the attack started in September, when a developer received a Telegram message purporting to come from a trusted former contractor and which delivered a link to a zipped PDF, requesting feedback on a new job opportunity related to smart contract auditing.

Given that requests to review PDFs are normal and that the document came from a former contractor, the developer shared the file with others for feedback, which led to multiple devices being infected with Inletdrift, a sophisticated backdoor that enabled the attackers to stage the heist.

“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages,” Radiant explains.

The hackers staged malicious smart contracts across Arbitrum, Base, Binance Smart Chain, and Ethereum, which were executed on October 16. Immediately after execution, they removed traces of the backdoor and related browser extensions.

Advertisement. Scroll to continue reading.

Mandiant, which investigated the attack, has attributed the attack to a North Korea-linked threat actor tracked as UNC4736, also known as AppleJeus or Citrine Sleet, which is aligned with Pyongyang’s primary foreign intelligence service Reconnaissance General Bureau (RGB).

“Although the investigation is ongoing, Mandiant assesses with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor,” Radiant notes.

Related: North Korea Deploying Fake IT Workers in China, Russia, Other Countries

Related: In Other News: CVE Turns 25, Henry Schein Data Breach, Reward for Shahid Hemmat Hackers

Related: The Elusive Goal of Network Security

Related: Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.