- Cyber Syrup
- Posts
- Radiant Capital Heist Attributed to North Korean Threat Actor: A $50,000,000 Hack
Radiant Capital Heist Attributed to North Korean Threat Actor: A $50,000,000 Hack
In October 2024, decentralized finance (DeFi) project Radiant Capital fell victim to a $50 million heist orchestrated by a North Korean threat actor
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Unlock Better Cognitive Performance: The Scientifically Proven Way to Shield Your Mind and Boost Focus
The importance of protecting brain health from the harmful effects of EMF exposure is growing in research and public knowledge. EMFs can interfere with brain function, leading to issues like cognitive fatigue, lack of focus, and long-term neurological risks. Aires Tech products have been scientifically validated through numerous EEG brain scans administered by neuroscientists, showing significant improvements in brain activity and function when using our EMF protection. With Aires Tech, you can trust their technology is proven to safeguard your brain and support optimal cognitive performance.
Radiant Capital Heist Attributed to North Korean Threat Actor: A $50,000,000 Hack
In October 2024, decentralized finance (DeFi) project Radiant Capital fell victim to a $50 million heist orchestrated by a North Korean threat actor. The sophisticated cyberattack leveraged malware to exploit the project’s multi-signature process and compromised developer systems. This article unpacks the timeline, tactics, and key takeaways from the incident, along with strategies to protect against similar attacks.
The Timeline of the Attack
The Initial Compromise
The attack began in September 2024, when a Radiant Capital developer received a seemingly legitimate Telegram message from a trusted former contractor. The message included a zipped PDF claiming to relate to a job opportunity in smart contract auditing. The developer, assuming the document was legitimate, shared it with colleagues.
Unbeknownst to the team, the file contained Inletdrift, a sophisticated backdoor malware, which subsequently infected multiple devices. This malware allowed attackers to gain unauthorized access to critical systems without detection.
The Heist
On October 16, 2024, the attackers exploited the compromised systems during a routine multi-signature emissions adjustment process. Using the infected devices, they signed fraudulent transactions while displaying benign data in the Safe{Wallet} verification interface. This deception made the malicious activity invisible during standard checks.
Key actions included:
Execution of Malicious Contracts: Fraudulent smart contracts were deployed across multiple blockchain platforms, including Arbitrum, Base, Binance Smart Chain, and Ethereum.
User Account Exploitation: Attackers drained funds from Radiant’s core markets and exploited open approvals to withdraw additional funds from user accounts.
Erasing Evidence: Immediately after the heist, traces of the backdoor and malicious browser extensions were removed to hinder forensic investigations.
Post-Attack Analysis
Radiant Capital released a post-mortem report on October 18, detailing the attackers’ tactics. The analysis revealed how the malware manipulated front-end transaction displays, masking the fraudulent activity. Despite employing traditional checks and simulations, Radiant's tools failed to identify the malicious transactions in real time.
Attribution to North Korean Threat Actor
UNC4736: A Sophisticated Adversary
The attack has been attributed to UNC4736, a North Korea-linked threat group also known as AppleJeus or Citrine Sleet. This group operates under Pyongyang's Reconnaissance General Bureau (RGB) and is known for targeting cryptocurrency platforms to fund North Korea’s geopolitical objectives.
Mandiant’s Findings
Cybersecurity firm Mandiant, which assisted in the investigation, assessed with high confidence that the attack was orchestrated by a Democratic People’s Republic of Korea (DPRK)-aligned actor. The group used advanced tactics, including the deployment of tailored backdoors and manipulation of blockchain platforms, highlighting their technical sophistication.
Who Is at Risk?
DeFi Projects: As decentralized platforms grow in popularity, they become attractive targets for state-sponsored and cybercriminal groups.
Developers and Contractors: Individuals with access to sensitive systems are vulnerable to spear-phishing campaigns and malware attacks.
Blockchain Users: Open approvals on wallets and smart contracts expose individual users to fund theft.
How to Protect Yourself
For Organizations
Multi-Layered Security: Implement robust endpoint detection and response (EDR) solutions to detect malware like Inletdrift.
Secure Communication Channels: Restrict file sharing to verified platforms and discourage the use of untrusted messaging apps for work communications.
Regular Security Training: Educate employees and contractors about phishing risks and how to identify suspicious activity.
For Developers
Verify All Files: Use sandbox environments to test files before opening them on devices with access to critical systems.
Limit Permissions: Restrict wallet and contract access to essential personnel, and ensure role-based access control (RBAC) is enforced.
Monitor for Anomalies: Regularly review logs and transactions to identify unauthorized activities.
For Users
Revoke Open Approvals: Periodically check and revoke unnecessary approvals in cryptocurrency wallets.
Use Non-Custodial Wallets: Store private keys in hardware wallets to minimize exposure to online threats.
Lessons Learned
The Radiant Capital heist underscores the evolving sophistication of cyber threats in the DeFi space. State-sponsored groups like UNC4736 are not only targeting platforms but also leveraging advanced social engineering and malware to infiltrate systems.
Key Takeaways
Human Error is a Critical Weakness: The attack began with a single phishing message, emphasizing the need for vigilance at every level of an organization.
Malware Can Exploit Multi-Signature Systems: Even secure transaction mechanisms can be compromised if underlying devices are infected.
Collaboration is Crucial: Partnerships with cybersecurity firms like Mandiant can aid in identifying attackers and mitigating future risks.
Conclusion
Radiant Capital's experience serves as a cautionary tale for the DeFi community, highlighting the importance of proactive cybersecurity measures. By fostering a culture of awareness, implementing advanced security tools, and learning from incidents, organizations can better safeguard their platforms against evolving threats.