tl;dr
Radiant Capital experienced a $50 million loss in a cyberattack attributed to the DPRK-linked UNC4736 group. The attackers utilized sophisticated malware and social engineering to bypass security protocols. The incident underscores critical vulnerabilities in DeFi security, prompting the adoption of...
Radiant Capital suffered a $50 million loss in a cyberattack attributed to the DPRK-linked UNC4736 group. The attackers utilized sophisticated malware and social engineering to bypass security protocols.
The incident underscores critical vulnerabilities in DeFi security, prompting the adoption of hardware-level transaction verification across the industry.
Radiant Capital, following an investigation by cybersecurity firm Mandiant, has identified UNC4736, a North Korea-linked threat group, as the perpetrators of the attack. The attack demonstrates the pressing need for stronger security measures within the decentralized finance (DeFi) industry.
The attackers deployed malicious smart contracts across multiple platforms and manipulated transaction data despite Radiant following standard security protocols. UNC4736, also known as AppleJeus or Citrine Sleet, is a well-known threat group linked to DPRK’s TEMP.Hermit and focuses on cyber financial crimes.
The stolen funds were quickly moved, and all traces of malware and browser extensions used during the attack were erased. Radiant Capital has called for a shift towards hardware-level transaction verification to enhance DeFi security and is collaborating with various entities to track and recover the stolen funds, with the intention to improve security standards for the broader crypto ecosystem.
Radiant Capital has confirmed new findings surrounding the devastating $50 million cyberattack it suffered on October 16, 2024. An investigation by cybersecurity firm Mandiant identified the attackers as UNC4736, a North Korea-linked threat group connected to the nation’s Reconnaissance General Bureau (RGB). This is another alarming rise in the sophistication of cyberattacks targeting decentralized finance (DeFi), showing the urgent need for stronger security measures in the industry.
HOW THE ATTACK UNFOLDED
The attack was set in motion on September 11, 2024, when a Radiant developer received a seemingly normal Telegram message from someone posing as a former contractor. The message had a ZIP file, supposedly showcasing the contractor’s work in smart contract auditing. But it contained a sophisticated malware called INLETDRIFT. This malware, disguised as a legitimate PDF file, established a macOS backdoor on the victim’s device and connected it to an external domain controlled by the attackers.
Over subsequent weeks, UNC4736 deployed malicious smart contracts across Arbitrum, Binance Smart Chain, Base, and Ethereum, meticulously planning the heist. Although Radiant followed standard security protocols, such as transaction simulations using Tenderly and payload verification, the attackers used vulnerabilities in front-end interfaces to manipulate transaction data. By the time the theft happened, the hackers had concealed their actions well, making detection nearly impossible.
ATTRIBUTION AND TACTICS
UNC4736, also known as AppleJeus or Citrine Sleet, is a well-known threat group linked to DPRK’s TEMP.Hermit. The group focuses on cyber financial crimes, often using highly advanced social engineering techniques to infiltrate systems. Mandiant attributes this attack to the group with high confidence, because of their use of state-level tactics. The stolen funds were moved within minutes of the theft, and all traces of malware and browser extensions used during the attack were wiped clean.
A WAKE-UP CALL FOR DEFI SECURITY
This breach highlights the vulnerabilities in current DeFi security practices, particularly reliance on blind signing and front-end transaction verifications. Radiant Capital has called for an industry-wide shift toward hardware-level transaction verification to prevent similar incidents. Radiant DAO is working with Mandiant, zeroShadow, Hypernative, and U.S. law enforcement to track and recover the stolen funds. Efforts continue, and the organization plans to share its findings to improve security standards for the broader crypto ecosystem.