We do the research, you get the alpha!
Hackers from the Democratic People’s Republic of Korea (DPRK)—commonly known as North Korea—are responsible for the recent Radiant Capital hack, the firm claims.
In mid-October, decentralized finance (DeFi) protocol Radiant Capital lost about $50 million to what the team described as “one of the most sophisticated hacks ever recorded in DeFi.”
Now, in a more recent update, Radiant Capital’s contracted cybersecurity firm Mandiant “assesses with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”
Recounting the events, the post explains that when a developer was contacted by a “trusted former contractor” in early September, it was a DPRK actor in disguise. The impersonator shared a zip file under the guise of asking for feedback on a new project they were working on.
“This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,” reads the reconstruction of the events. The malware in question was reportedly sophisticated. It established a permanent macOS backdoor while still displaying a legitimate PDF to the user to avoid detection.
The payload was a malicious AppleScript that led the system to communicate with an innocent-sounding domain name, the team said. The hackers were also able to leverage the malware to bypass the security measures put in place by web3 infrastructure provider Tenderly.
“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers also compromised multiple developer devices,” the post explains.
Explaining how Tenderly acted on the hacked devices, the post explains that “the front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”
Vice-president of investigations at blockchain forensics firm AMLBot Anmol Jain told Decrypt that "DPRK-linked cyberattacks have grown increasingly frequent and sophisticated in recent years."
He attributed this trend to the country's "limited access to the global economy due to international sanctions," motivating the nation to turn to cybercrime to generate revenue and obtain intelligence.
Jeremiah O’Connor, CTO and co-founder at crypto cybersecurity firm Trugard, also told Decrypt that "targeting DeFi platforms is a common tactic of nation-state actors, especially North Korean groups such as Lazarus Group." He highlighted that it is concerning since "nation-state actors introduce highly sophisticated threats to the blockchain ecosystem."
Edited by Stacy Elliott.
Editor's note: Adds comments from O'Connor and Jain