Radiant Capital has revealed that North Korean threat actors were responsible for the $50 million cryptocurrency theft during a sophisticated cyberattack on October 16, 2024.
The announcement comes after an investigation supported by cybersecurity firm Mandiant, which attributed the breach to a group known as Citrine Sleet, also referred to as “UNC4736” and “AppleJeus.”
The U.S. government has previously warned that North Korean cyber groups are targeting cryptocurrency firms and exchanges to fund the regime’s operations. Radiant, a decentralized finance (DeFi) platform, became the latest victim in this growing trend of high-profile crypto heists.
Radiant’s platform enables users to manage cryptocurrency across various blockchain networks, leveraging Ethereum security via the Arbitrum Layer 2 system. Despite implementing standard best practices and robust security measures, the hackers executed a highly sophisticated attack that bypassed multiple layers of protection, including hardware wallets and verification processes.
How the Attack Happened
The breach was traced back to September 11, 2024, when a Radiant developer received a Telegram message impersonating a former contractor. The message included a malicious ZIP file containing a decoy PDF and a macOS malware payload named “InletDrift.” Once executed, the malware established a backdoor on the developer’s device.
From there, the attackers used the compromised device to exploit Radiant’s multi-signature transaction system. They collected valid signatures under the guise of transaction errors, enabling them to siphon funds from Arbitrum and Binance Smart Chain (BSC) markets. The process was so seamless that traditional simulations and manual transaction reviews failed to detect any anomalies.
Radiant described the attack as “virtually invisible” due to the hackers’ ability to manipulate front-end interfaces, displaying normal transaction data while malicious activity occurred in the background. Mandiant linked the attack to UNC4736, a group previously identified for exploiting a zero-day vulnerability in Google Chrome earlier this year.
Collaborating to Recover Funds
Radiant is now working closely with U.S. law enforcement and blockchain recovery experts, including zeroShadow, to track and recover the stolen funds. The platform has also emphasized the need for more advanced, device-level security solutions to prevent similar attacks in the future.
The $50 million heist underscores the growing threat posed by state-sponsored cybercriminals targeting the cryptocurrency sector. As DeFi platforms continue to grow in popularity, the need for innovative security measures to counter increasingly sophisticated attacks has become more urgent than ever.
