In a striking revelation, Radiant Capital recently identified the perpetrators behind its October hack, which resulted in a staggering $50 million loss. Analysts affiliated with the platform have linked the attack to a hacking group associated with North Korea, a finding that underscores the extensive threat posed by state-sponsored cybercrime in today’s digital landscape. The malicious actors executed a sophisticated ploy, utilizing malware that was disseminated through the popular messaging platform Telegram. The breach, initially uncovered on October 16, 2024, marks yet another troubling chapter in the world of decentralized finance (DeFi).
The incident traces back to September 11, 2024, when a Radiant developer received a seemingly benign message from an individual masquerading as a former contractor. This impersonation tactic is particularly alarming, as it highlights the vulnerability of human operators to social engineering attacks—an essential factor that can lead to significant breaches.
The crafted message included a request for feedback on a faux career-related PDF purportedly associated with smart contract auditing. This elaborate deception involved a cleverly spoofed URL, designed to mimic a legitimate website, further lowering the guard of the unsuspecting developer. After opening an attachment dubbed Penpie_Hacking_Analysis_Report.zip, the developer inadvertently activated a macOS backdoor known as INLETDRIFT. The malware established a communication channel with an external server while tricking the user into believing they were viewing an innocuous document.
Despite Radiant’s stringent security measures, which encompassed transaction simulations and payload verifications, the malware’s ability to manipulate front-end transaction data rendered it invisible during routine security checks. Consequently, developers unwittingly authorized malicious transactions, leading to significant unauthorized asset transfers.
In response to the breach, Radiant Capital rapidly engaged cybersecurity specialists such as Mandiant, zeroShadow, Hypernative, and SEAL 911 to mitigate the potential damage and investigate the incident in depth. ZeroShadow confirmed Radiant’s hypothesis regarding the involvement of North Korean hackers, asserting a high degree of confidence in their findings based on both on-chain and off-chain analysis.
The statement issued on December 9 further detailed that the stolen funds’ movements were traced to other platforms like Hyperliquid, where users had failed to revoke permissions—placing the blame not solely on Radiant’s initial security failings but also on continued vulnerabilities elsewhere in the ecosystem.
This incident is not an isolated case; it serves as a stark reminder of the persistent and complex threats facing decentralized finance platforms. Earlier in the year, Radiant had also suffered a breach in January, which resulted from a smart contract vulnerability leading to a $4.5 million loss. With the platform’s total value locked dropping from over $300 million to approximately $6 million, the implications of these attacks extend beyond immediate financial repercussions, hinting at a waning confidence among users in the security of DeFi protocols.
As DeFi continues to grow and attract significant investments, lessons learned from Radiant Capital’s unfortunate experience may serve as a catalyst for implementing more robust security measures across the entire sector. Enhanced stakeholder education on security practices, bolstered technical safeguards, and more rigorous regulatory oversight could be pivotal in safeguarding assets from future attacks and restoring trust in the decentralization movement.
