Binance News
--
Radiant Capital Suffers $50 Million Hack Through North Korean Malware
According to Cointelegraph, Radiant Capital has revealed that a $50 million breach on its decentralized finance (DeFi) platform in October was executed via malware sent through Telegram by a hacker linked to North Korea, masquerading as a former contractor. In a December 6 update, Radiant disclosed that its cybersecurity partner, Mandiant, has confidently attributed the attack to a threat actor associated with the Democratic People’s Republic of Korea (DPRK).
The incident began on September 11 when a Radiant developer received a Telegram message containing a zip file from a supposed trusted ex-contractor, requesting feedback on a new project. Radiant suspects this message originated from a DPRK-aligned threat actor impersonating the contractor. The zip file, once shared among developers for feedback, delivered malware that enabled the subsequent breach. On October 16, the platform had to suspend its lending markets after the hacker gained control over several private keys and smart contracts. North Korean hacking groups have historically targeted cryptocurrency platforms, amassing $3 billion in crypto thefts between 2017 and 2023.
Radiant explained that the file did not raise suspicions as requests to review PDFs are common in professional environments, and developers often share documents in this format. The domain linked to the zip file also mimicked the contractor’s legitimate website. During the attack, multiple developer devices were compromised, and front-end interfaces displayed benign transaction data while malicious transactions were executed in the background. Traditional checks and simulations revealed no discrepancies, rendering the threat nearly invisible during standard review processes.
Radiant Capital identified the threat actor as “UNC4736,” also known as “Citrine Sleet,” believed to be aligned with North Korea’s Reconnaissance General Bureau (RGB) and possibly a sub-cluster of the Lazarus Group. The hackers moved approximately $52 million of the stolen funds on October 24. Radiant emphasized that the incident highlights the need for stronger, hardware-level solutions for decoding and validating transaction payloads, as even rigorous standard operating procedures, hardware wallets, and simulation tools can be bypassed by sophisticated threat actors.
This is not the first security breach Radiant has faced this year. The platform previously halted lending markets in January following a $4.5 million flash loan exploit. As a result of these incidents, Radiant’s total value locked has significantly decreased, from over $300 million at the end of last year to around $5.81 million as of December 9, according to DefiLlama.
The incident began on September 11 when a Radiant developer received a Telegram message containing a zip file from a supposed trusted ex-contractor, requesting feedback on a new project. Radiant suspects this message originated from a DPRK-aligned threat actor impersonating the contractor. The zip file, once shared among developers for feedback, delivered malware that enabled the subsequent breach. On October 16, the platform had to suspend its lending markets after the hacker gained control over several private keys and smart contracts. North Korean hacking groups have historically targeted cryptocurrency platforms, amassing $3 billion in crypto thefts between 2017 and 2023.
Radiant explained that the file did not raise suspicions as requests to review PDFs are common in professional environments, and developers often share documents in this format. The domain linked to the zip file also mimicked the contractor’s legitimate website. During the attack, multiple developer devices were compromised, and front-end interfaces displayed benign transaction data while malicious transactions were executed in the background. Traditional checks and simulations revealed no discrepancies, rendering the threat nearly invisible during standard review processes.
Radiant Capital identified the threat actor as “UNC4736,” also known as “Citrine Sleet,” believed to be aligned with North Korea’s Reconnaissance General Bureau (RGB) and possibly a sub-cluster of the Lazarus Group. The hackers moved approximately $52 million of the stolen funds on October 24. Radiant emphasized that the incident highlights the need for stronger, hardware-level solutions for decoding and validating transaction payloads, as even rigorous standard operating procedures, hardware wallets, and simulation tools can be bypassed by sophisticated threat actors.
This is not the first security breach Radiant has faced this year. The platform previously halted lending markets in January following a $4.5 million flash loan exploit. As a result of these incidents, Radiant’s total value locked has significantly decreased, from over $300 million at the end of last year to around $5.81 million as of December 9, according to DefiLlama.
Отказ от отговорност: Включва мнения на трети страни. Това не е финансов съвет. Може да включва спонсорирано съдържание. Вижте Правилата и условията.
Отговори 0