North Korean Hackers Exploit DeFi Platform Radiant Capital in $50M Heist

Jimmy Aki
Last Updated:

Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.

Radiant Capital has confirmed that a sophisticated North Korean threat actor orchestrated a $50 million hack on its decentralized finance (DeFi) Security platform.

North Korean Group Executes $50M DeFi Security Breach

The attack, disclosed on December 6, involved malware transmitted via a Telegram message from a hacker posing as a former contractor. This breach has raised significant concerns about DeFi security.

The cybersecurity firm Mandiant, contracted by Radiant, attributed the attack to a Democratic People’s Republic of Korea (DPRK)-aligned group known as “UNC4736” or “Citrine Sleet.” The group is suspected of ties to the Lazarus Group, a hacking collective linked to North Korea’s intelligence agency.

The hack unfolded on October 16, forced Radiant to suspend its lending operations after multiple developers’ devices were compromised. Hackers gained access to private keys and smart contracts, facilitating the theft of funds.

Radiant said in a statement: “Even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices.”

How the Attack Was Carried Out

Radiant Capital revealed that the attack began on September 11 when a Radiant developer received a Telegram message from what appeared to be a trusted ex-contractor.

The message included a zip file with malware disguised as a document for feedback. Radiant’s investigation revealed that the domain linked to the file mimicked the contractor’s legitimate website.

The malware was shared among Radiant developers, compromising several devices. The attackers manipulated front-end interfaces to display normal transaction data while executing unauthorized transfers in the background.

Radiant acknowledged: “Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”

On October 24, hackers moved approximately $52 million of the stolen funds.

North Korean cybercriminals have targeted crypto platforms for years, stealing $3 billion between 2017 and 2023. The Lazarus Group and its sub-clusters, including Citrine Sleet, are infamous for using advanced deception techniques.

The breach was a stark reminder of the vulnerabilities in DeFi security systems. Radiant Capital has since described the incident as an “expensive lesson” for the sector, with security expert Patrick Collins noting a critical gap in using hardware wallets to verify transactions.

He called it a “$50 million lesson” that shows the need for better education and tools to prevent such breaches.

This is Radiant Capital’s second major security incident in 2023. In January, it suffered a $4.5 million flash loan exploit, leading to significant losses.

The platform’s total value locked (TVL) has plummeted from over $300 million in late 2022 to around $5.81 million as of December 9, according to DefiLlama.

The attack on Radiant Capital mirrors other recent crypto crimes, like the $11 million scheme uncovered by U.S. prosecutors involving sophisticated phishing and SIM-swapping tactics.

In this case, hackers drained wallets and stole sensitive data from individuals and businesses across multiple countries, showing the growing risks even for entities with advanced security measures.

About Jimmy Aki PRO INVESTOR

Based in the UK, Jimmy is an economic researcher with outstanding hands-on and heads-on experience in Macroeconomic finance analysis, forecasting and planning. He has honed his skills having worked cross-continental as a finance analyst, which gives him inter-cultural experience. He currently has a strong passion for regulation and macroeconomic trends as it allows him peek under the global bonnet to see how the world works.