We do the research, you get the alpha!
Hackers from the Democratic People’s Republic of Korea (DPRK)—commonly known as North Korea—are responsible for the recent Radiant Capital hack, the firm claims.
In mid-October, decentralized finance (DeFi) protocol Radiant Capital lost about $50 million to what the team described as “one of the most sophisticated hacks ever recorded in DeFi.”
Now, in a more recent update, Radiant Capital’s contracted cybersecurity firm Mandiant “assesses with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”
Radiant Capital’s $50M Breach Among ‘Most Sophisticated Hacks’ in DeFi History
Decentralized finance (DeFi) project Radiant Capital has claimed that groups analyzing its breach earlier this week “believe this was one of the most sophisticated hacks ever recorded in DeFi” and that “many protocols are at risk”. Radiant and Web3 auditor Hacken estimated the approximate scale of the theft at $50 million, and it’s thought that USDT, USDC, and ARB tokens were stolen. Multiple pools have been fully drained, including:- USDC- USDT- wbETH- bBTC- wBNB- WETH- WBTC- ARB- wstETH — Hac...
Recounting the events, the post explains that when a developer was contacted by a “trusted former contractor” in early September, it was a DPRK actor in disguise. The impersonator shared a zip file under the guise of asking for feedback on a new project they were working on.
“This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,” reads the reconstruction of the events. The malware in question was reportedly sophisticated. It established a permanent macOS backdoor while still displaying a legitimate PDF to the user to avoid detection.
The payload was a malicious AppleScript that led the system to communicate with an innocent-sounding domain name, the team said. The hackers were also able to leverage the malware to bypass the security measures put in place by web3 infrastructure provider Tenderly.
“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers also compromised multiple developer devices,” the post explains.
Explaining how Tenderly acted on the hacked devices, the post explains that “the front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”
North Korean Hackers Target Crypto Firms in ‘Hidden Risk’ Campaign
North Korean state-sponsored hackers expanded their arsenal, launching a new campaign dubbed ‘Hidden Risk’ that seeks to infiltrate crypto firms through malware disguised as legitimate documents. In a Thursday report, hack research firm SentinelLabs connected the latest campaign to the notorious BlueNoroff threat actor, a subgroup of the infamous Lazarus Group, known for siphoning off millions to fund North Korea's nuclear and weapons programs. The series of attacks is a calculated effort to ext...
Vice-president of investigations at blockchain forensics firm AMLBot Anmol Jain told Decrypt that "DPRK-linked cyberattacks have grown increasingly frequent and sophisticated in recent years."
He attributed this trend to the country's "limited access to the global economy due to international sanctions," motivating the nation to turn to cybercrime to generate revenue and obtain intelligence.
Jeremiah O’Connor, CTO and co-founder at crypto cybersecurity firm Trugard, also told Decrypt that "targeting DeFi platforms is a common tactic of nation-state actors, especially North Korean groups such as Lazarus Group." He highlighted that it is concerning since "nation-state actors introduce highly sophisticated threats to the blockchain ecosystem."
Edited by Stacy Elliott.
Editor's note: Adds comments from O'Connor and Jain
