Hackers Exploit Radiant Capital With Malware, $50M Stolen in Heist

A malware-laced PDF sent to Radiant Capital engineers enabled North Korean hackers to steal over $50 million.

In a recent follow-up report on the breach, Radiant assisted by Mandiant revealed further details. On September 11, 2024, a Radiant developer received a Telegram message from an impersonated former contractor.

The message, purportedly from a former contractor, included a link to a zipped PDF. Allegedly related to a new smart contract auditing project, the document sought professional feedback.

The domain associated with the ZIP file convincingly mimicked the contractor’s legitimate website, and the request appeared routine in professional circles. Developers frequently exchange PDFs for tasks such as legal reviews or technical audits, reducing initial suspicion.

Trusting the source, the recipient shared the file with colleagues, inadvertently setting the stage for the cyber heist.

Unbeknownst to the Radiant team, the ZIP file contained INLETDRIFT, an advanced macOS malware camouflaged within the “legitimate” document. Once activated, the malware established a persistent backdoor, using a malicious AppleScript.

The malware’s design was sophisticated, displaying a convincing PDF to users while operating stealthily in the background.

Despite Radiant’s rigorous cybersecurity practices—including transaction simulations, payload verification, and adherence to industry-standard operating procedures (SOPs)—the malware successfully infiltrated and compromised multiple developer devices.

The attackers exploited blind signing and spoofed front-end interfaces, displaying benign transaction data to mask malicious activities. As a result, fraudulent transactions were executed without detection.

In preparation for the heist, the attackers staged malicious smart contracts across multiple platforms, including Arbitrum, Binance Smart Chain, Base, and Ethereum. Just three minutes after the theft, they erased traces of their backdoor and browser extensions.

The heist was executed with precision: just three minutes after transferring the stolen funds, the attackers wiped traces of their backdoor and associated browser extensions, further complicating forensic analysis.

Mandiant attributes the attack to UNC4736, also known as AppleJeus or Citrine Sleet, a group linked to North Korea’s Reconnaissance General Bureau (RGB). This incident highlights the vulnerabilities in blind signing and front-end verifications, emphasizing the urgent need for hardware-level solutions to validate transaction payloads.

Radiant is collaborating with U.S. law enforcement, Mandiant, and zeroShadow to freeze stolen assets. The DAO remains committed to supporting recovery efforts and sharing insights to improve industry-wide security standards.