Radiant Capital: October attack was caused by malware sent by North Korean hackers disguised as former contractors

PANews December 9th news, according to Cointelegraph, Radiant Capital said that the $50 million hacking attack on its DeFi platform in October was carried out by a hacker associated with North Korea, who disguised himself as a former contractor and sent malware through Telegram. The platform said that on September 11, a Radiant developer received a message containing a zip file from a "trusted former contractor" via Telegram, asking for their feedback on a new plan. After review, the message was suspected to be from a threat actor associated with North Korea disguised as a former contractor. When the zip file was shared among developers for feedback, it eventually released malware, prompting subsequent intrusions. On October 16, the DeFi platform had to stop its lending market after a hacker controlled the private keys and smart contracts of multiple signers. Radiant said the file did not arouse other suspicions because "it is common to request a review of PDF in a professional environment" and developers "often share documents in this format." The domain name associated with the zip file also disguised the contractor's legitimate website. During the attack, multiple Radiant developer devices were compromised, with the front-end interface displaying benign transaction data while malicious transactions were signed in the background.

“Traditional inspection and simulation revealed no significant discrepancies, making the threat virtually invisible during normal review,” Radiant Capital said. “The deception operation was so seamless that even though Radiant followed standard best practices such as simulating transactions in Tenderly, validating payload data, and following industry-standard standard operating procedures (SOPs), the attackers were still able to compromise multiple developer devices.” Radiant Capital believes the hackers behind this attack are known as “UNC4736,” also known as “Citrine Sleet” — believed to be associated with the Reconnaissance General Bureau (RGB), North Korea’s main intelligence agency, and are speculated to be a subcluster of the hacker organization Lazarus Group.