$50 Million Radiant Capital Hack Traced to North Korean Cybercriminals

by

As a seasoned analyst with over two decades of experience in cybersecurity, I have witnessed the evolution of digital threats from their infancy to the formidable force they are today. The Radiant Capital incident is yet another grim reminder that no system is impregnable and that even the most diligent actors can fall victim to advanced adversaries.

On October 16, 2024, Radiant Capital, a cutting-edge, decentralized lending platform running on the LayerZero network, fell prey to an extremely advanced cyberattack. This unfortunate incident cost the platform an astounding $50 million.

As a crypto investor, I’ve recently learned that the recent attack has been traced back to North Korean hacker groups. This chilling development signifies yet another concerning episode in the escalating tide of cybercrimes directed at Decentralized Finance (DeFi).

Report Links North Korean Actors to Radiant Capital Incident

A report from OneKey, a Coinbase-backed crypto hardware wallet manufacturer, attributed the attack to North Korean hackers. The report extends from a recent medium post shared by Radiant Capital, which provided an incident update on the October 16 attack.

According to reports, Mandiant, a well-known cybersecurity company, has connected the breach to UNC4736, a team associated with North Korea that goes by several names including AppleJeus or Citrine Sleet. This group functions under the Reconnaissance General Bureau (RGB), North Korea’s main intelligence agency.

Mandiant’s investigation uncovered that the attackers carefully orchestrated their actions. They strategically placed malicious smart contracts on numerous blockchain networks such as Arbitrum, Binance Smart Chain, Base, and Ethereum. These actions highlight the sophisticated skills of North Korean-linked cybercriminals in targeting the Decentralized Finance (DeFi) industry.

The security incident commenced on September 11, 2024, triggered by a well-planned phishing attempt. A team member from Radiant Capital was sent a message on Telegram, supposedly from a trusted business partner who had been deceitfully represented as a contractor. The message contained a zip file, named “Penpie_Hacking_Analysis_Report.zip,” which actually carried the malware known as INLETDRIFT, a backdoor for macOS systems that granted unauthorized access to Radiant’s computer network.

Upon opening the file, it seemed like a standard PDF. But deceitfully, the malware infiltrated without any notice, setting up a hidden link to the harmful website at atokyonews[.]com. This sneaky setup enabled the hackers to disseminate the malware across Radiant’s staff, granting them increased access to confidential systems and deeper penetration within the network.

The hackers’ plan reached its peak by executing a “middleman attack” (Man-in-the-Middle). They took advantage of devices that had been compromised to intercept and alter transaction requests within the multisig wallets of Radiant’s Gnosis Safe. This manipulation made the transactions seem genuine to developers, but in secret, the malware subtly changed them to perform a ‘Transfer Ownership’ command, thus gaining control over Radiant’s lending pool contracts.

Execution of the Heist, Industry Implications, and Lessons Learned

Although Radiant followed the best safety protocols like employing hardware wallets, simulating transactions, and utilizing verification tools, the attackers managed to circumvent all protective measures. In a matter of minutes after taking possession, the hackers emptied funds from Radiant’s lending pools, leaving the platform and its users in shock.

The cyber attack on Radiant Capital acts as a chilling reminder for the Decentralized Finance (DeFi) sector. Projects that follow stringent security protocols are not entirely immune to advanced hackers. This event brought to light significant weaknesses, such as:

  • Phishing Risks: The attack began with a convincing impersonation scheme, emphasizing the need for heightened vigilance against unsolicited file sharing.
  • Blind Signing: While essential, hardware wallets often display only basic transaction details, making it difficult for users to detect malicious modifications. Improved hardware-level solutions are necessary to decode and validate transaction payloads.
  • Front-End Security: The reliance on front-end interfaces for transaction verification proved inadequate. Spoofed interfaces enabled hackers to manipulate transaction data undetected.
  • Governance Weaknesses: The absence of mechanisms to revoke ownership transfers left Radiant’s contracts vulnerable. Implementing time locks or requiring delayed fund transfers could provide critical reaction time in future incidents.

To address the security incident, Radiant Capital has enlisted top-tier cybersecurity experts from firms like Mandiant, zeroShadow, and Hypernative. Their roles involve conducting an investigation into the breach and helping recover any lost assets. Furthermore, the Radiant Decentralized Autonomous Organization (DAO) is working hand in hand with American law enforcement agencies to track and freeze the funds that were stolen.

In a Medium article, Radiant reinforced their dedication to disseminating knowledge gained and improving security within the Decentralized Finance (DeFi) sector. They highlighted the significance of implementing robust governance structures, boosting device-level protection, and steering clear of hazardous actions like unchecked signing.

“Looks like things could have stopped at step 1,” one user on X commented.

In light of the latest developments in the Radiant Capital incident, it appears that North Korean hacking strategies are evolving as suggested in a recent report. Given the increasing complexity of cybercriminal activities, it’s crucial for our industry to stay vigilant by emphasizing transparency, reinforcing robust security protocols, and fostering collaborative initiatives to counteract such threats effectively.

Read More

2024-12-13 11:51