Radiant Capital Incident: $50M Cyber Heist Linked to North Korean Threat Actors
A new report from Radiant Capital provides a detailed analysis of the sophisticated cyberattack that led to the theft of approximately $50 million USD on October 16, 2024. The findings, supported by an ongoing investigation conducted by cybersecurity firm Mandiant, reveal a complex attack chain that exploited a vulnerability in industry-standard transaction verification procedures.
The attack commenced on September 11, 2024, with a targeted social engineering campaign. A Radiant developer received a seemingly legitimate Telegram message from a known former contractor, requesting feedback on a PDF document purportedly related to a new career opportunity.
As stated in the report, “Requests to review PDFs are routine in professional settings. Given the normalcy of these interactions, and that it came from a former contractor, the file aroused no initial suspicion and was shared with other developers for feedback.”
However, this message, attributed to a suspected DPRK-aligned threat actor, contained a sophisticated malware payload (INLETDRIFT) concealed within a zipped file named “Penpie_Hacking_Analysis_Report.zip“. This malware established a persistent backdoor on macOS devices while simultaneously displaying a benign PDF document, effectively deceiving the developers.
Decoy PDF as part of Penpie_Hacking_Analysis_Report.zip | ource: Radiant Capital
Critically, the attack successfully circumvented Radiant’s established security protocols. “This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices,” the report reveals.
The attackers employed advanced techniques to manipulate front-end interfaces, displaying innocuous transaction data while malicious transactions were being signed in the background. This tactic rendered traditional security checks and simulations ineffective, allowing the threat to remain undetected.
Mandiant’s investigation attributes this attack to UNC4736, a threat actor with established links to the Democratic People’s Republic of Korea (DPRK). The attackers demonstrated a high level of sophistication and premeditation, meticulously staging malicious smart contracts across multiple blockchains in the weeks preceding the attack.
Radiant Capital is actively cooperating with law enforcement agencies and cybersecurity experts to recover the stolen assets and is committed to disseminating the lessons learned from this attack to improve security standards across the industry.
