North Korean Group UNC4736 Blamed for Radiant Capital Breach | Airdrop Alert Pro

On October 16, 2024, Radiant Capital, a decentralized cross-chain lending protocol based on LayerZero, suffered a highly sophisticated cyber attack, causing a staggering loss of US$50 million.

The attack has since been linked to North Korean hackers, marking another alarming chapter in a wave of cybercrime targeting decentralized finance.Decentralized Finance).

Report links North Korean actor to Tejas Capital affair

one Report From OneKey, a cryptocurrency supported by Coinbase hardware wallet The manufacturer blamed the attack on North Korean hackers. This report extends from the most recent mid-level position Radiant Capital shares an update on the incident Attack of October 16.

Leading cybersecurity firm Mandiant reportedly further linked the breach to UNC4736, a North Korea-aligned group also known as AppleJeus or Citrine Sleet. The organization is affiliated with North Korea’s main intelligence agency, the Reconnaissance General Bureau (RGB).

Mandiant’s investigation revealed that the attackers carefully planned their actions. They staged malicious smart contracts across multiple blockchain networks, including DecideBinance Smart Chain, Basics and Ethereum. These efforts reflect the advanced capabilities of North Korea-backed threat actors targeting the DeFi space.

The vulnerability began with a carefully orchestrated phishing attack on September 11, 2024. A developer at Radiant Capital received a Telegram message from an individual posing as a trusted contractor. The message contained a zip file that purportedly contained a smart contract audit report. The file “Penpie_Hacking_Analysis_Report.zip” contains malware named INLETDRIFT, a macOS backdoor that facilitates unauthorized access to Radiant’s systems.

When the developer opened the file, it appeared to contain a legitimate PDF. However, the malware silently installs itself and establishes a backdoor connection to a malicious domain on atokyonews(.)com. This allowed the attackers to further spread the malware among Radiant’s team members, gaining deeper access to sensitive systems.

The hacker’s tactics culminated in man-in-the-middle (MITM) attacks. By exploiting compromised devices, they intercepted and manipulated transaction requests within Radiant’s Gnosis Safe Multi-signature wallet. While the transactions appeared legitimate to the developers, the malware secretly altered them to perform a transfer ownership call, thereby seizing control of the Radiant lending pool contract.

Robbery implementation, industry impact and lessons learned

Although Radiant adheres to best practices, such as using hardware wallets, transaction simulations, and verification tools, the attacker’s approach bypassed all defenses. Within minutes of taking ownership, the hackers drained Radiant’s funds. loan poolshocking the platform and its users.

The Radiant Capital hack is a stark warning to the DeFi industry. Even if the project adheres to strict Safety Standards can fall prey to sophisticated threat actors. The incident highlighted serious vulnerabilities, including:

• Phishing risk: The attack begins with a convincing impersonation scheme, emphasizing the need for heightened vigilance against unsolicited file sharing.
• Blind signature: While important, hardware wallets often only display basic transaction details, making it difficult for users to detect malicious modifications. Improved hardware-level solutions are needed to decode and verify transaction payloads.
• Front-end security: It turns out that relying on the front-end interface for transaction verification is not enough. Deceptive interfaces enable hackers to manipulate transaction data without detection.
• governance weaknesses: Radiant’s contracts are vulnerable to attack due to the lack of a mechanism to reverse ownership transfers. Implementing a time lock or requiring a delay in funds transfers can provide critical reaction time for future events.

In response to the breach, Radiant Capital has engaged leading cybersecurity firms including Mandiant, zeroShadow and Hypernative. These companies assist with investigations and asset recovery. radiant DAO It also works with U.S. law enforcement to track and freeze stolen funds.

In the Medium post, Radiant also reiterated its commitment to sharing lessons learned and enhancing security across the DeFi industry. The DAO emphasized the importance of adopting a strong governance framework, strengthening device-level security, and moving away from dangerous practices such as blind signing.

“Looks like things may have stopped at step 1,” one user on X commented.

The Radiant Capital incident aligns with a recent report showing how North Korean hackers continue to change tactics. As cybercriminals become more sophisticated, the industry must adapt by prioritizing transparency, strong security measures, and working together to combat such attacks.