Radiant Capital Shares Update After Sophisticated Cyberattack Leading to $50M in Losses

Radiant Capital has shared an important update on the October 16, 2024 incident in which Radiant Capital was targeted by a “highly sophisticated” cyberattack that resulted in a loss valued at “approximately $50M USD.”

On October 17, 2024, Radiant released a post-mortem of the attack and thereafter retained Mandiant, a cybersecurity firm, to assist in the investigation, “particularly with on-device forensics.”

In parallel, the Radiant Capital DAO engaged zeroShadow and Hypernative for “on-chain asset tracking and enlisted SEAL 911 for additional support.”

This update provides additional findings from Mandiant’s ongoing investigation, detailing the attacker’s “advanced tactics and underscoring the urgent need for industry-wide improvements in transaction verification practices.”

On September 11, 2024, a Radiant developer “received a Telegram message from what appeared to be a trusted former contractor.”

The message said that the contractor was “pursuing a new career opportunity related to smart contract auditing.”

It included a link to a zipped PDF regarding the “contractor’s new alleged endeavor and sought feedback about their work.”

Requests to review PDFs are routine in professional settings — lawyers, smart contract auditors, and partners “frequently share documents in this format.”

Given the normalcy of these interactions, and that it came from a former contractor, the file “aroused no initial suspicion and was shared with other developers for feedback.”

In addition, the domain associated with the ZIP file “convincingly spoofed the contractor’s legitimate website, further reducing suspicion.”

Upon review, this message is “suspected to have originated from a DPRK-aligned threat actor impersonating the former contractor.”

This ZIP file, when shared for feedback “among other developers, ultimately delivered malware that facilitated the subsequent intrusion.”

Within the ZIP file, the attackers delivered “a sophisticated piece of malware — INLETDRIFT — contained within Penpie_Hacking_Analysis_Report.zip. It established a persistent macOS backdoor while displaying a legitimate-looking PDF to the user. It employed a malicious AppleScript to communicate with the domain atokyonews[.]com.”

This deception was carried out so seamlessly “that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices.”

The front-end interfaces displayed benign transaction data “while malicious transactions were signed in the background.”

Traditional checks and simulations showed “no obvious discrepancies, making the threat virtually invisible during normal review stages.”

In the weeks before the heist, the attackers meticulously “staged malicious smart contracts across Arbitrum, Binance Smart Chain, Base, and Ethereum, as detailed in the earlier post-mortem.”

Three minutes after executing the theft “on October 16, 2024, they quickly removed traces of their second-stage backdoor and related browser extensions.”

Mandiant attributes this attack “to UNC4736, commonly referred to as AppleJeus or Citrine Sleet.”

Mandiant assesses with high-confidence “that UNC4736 has a Democratic People’s Republic of Korea (DPRK) nexus.”

Specifically, this group is aligned “with DPRK’s Reconnaissance General Bureau (RGB) and has close ties with TEMP.Hermit.”

Although the investigation is ongoing, Mandiant assesses “with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”

This incident demonstrates that even “rigorous SOPs, hardware wallets, simulation tools like Tenderly, and careful human review can be circumvented by highly advanced threat actors.”

The reliance on blind signing and front-end verifications “that can be spoofed demands the development of stronger, hardware-level solutions for decoding and validating transaction payloads.”

As the DeFi industry grows, it must evolve “beyond superficial checks and towards robust, device-level transparency to protect against increasingly sophisticated attacks.”

In addition to working with Mandiant, the Radiant DAO continues close collaboration with U.S. law enforcement and zeroShadow to “freeze stolen assets.”

Radiant remains available 24/7 to “assist the respective agencies working to recover the stolen funds, and is committed to sharing lessons learned to help the entire industry improve security standards.”



Sponsored Links by DQ Promote

 

 

 
Send this to a friend