Radiant Capital Suffers $50M DeFi Hack Tied to North Korean Hacker Group

Radiant Capital disclosed a $50 million hack attributed to a North Korean-linked threat actor, as confirmed by cybersecurity firm Mandiant on December 6.

The attack began on September 11 when a Radiant developer received a seemingly benign Telegram message from a trusted former contractor. However, the message included a zip file that unleashed sophisticated malware upon being shared among developers.

The malware enabled attackers to compromise multiple developer devices, manipulate transaction data, and gain control of private keys and smart contracts. By October 16, Radiant was forced to suspend its lending markets to prevent further damage.

The attackers, identified as “UNC4736” or “Citrine Sleet,” are believed to be linked to North Korea’s Reconnaissance General Bureau, often associated with the infamous Lazarus Group.

How the Hack Deceived Radiant’s Safeguards

The attackers crafted the zip file and its associated domain to resemble a legitimate contractor’s website, bypassing initial scrutiny. Radiant stated that common security checks, such as simulations in Tenderly and payload verification, failed to detect the intrusion.

“Traditional simulations and verification processes showed no obvious discrepancies, making the threat virtually invisible during standard reviews,” Radiant noted in its update.

Hackers exploited the malware to manipulate Radiant’s front-end interfaces, displaying legitimate data while processing malicious transactions in the background. This breach highlights vulnerabilities even in platforms following industry-standard best practices.

A Stark Reminder for DeFi Security

Radiant Capital labeled the attack as a wake-up call for DeFi platforms facing evolving cyber threats. This year alone, North Korean-linked hackers have stolen billions in cryptocurrency, including $52 million moved post-attack from Radiant on October 24.

In January, Radiant faced another significant breach—a $4.5 million flash loan exploit. These incidents underscore the limitations of current DeFi security measures and the growing need for advanced threat detection systems.

Radiant’s experience serves as a cautionary tale for the crypto industry, where evolving tactics by malicious actors demand constant vigilance and innovation in security protocols.

Key Takeaways:

• Radiant Capital lost $50M in a sophisticated DeFi hack linked to North Korea’s Lazarus Group.

• Malware disguised as a contractor’s file bypassed traditional safeguards, compromising multiple devices.

• DeFi platforms face growing threats, underscoring the need for advanced security measures.