This Is How Alleged North Korean Hackers Stole $50M from a Crypto Project
Radiant Capital, a decentralized finance (DeFi) platform, released a more detailed report on their $50 million hack this past October, claiming with "high confidence" that North Korean hackers were behind the attack.
"This incident demonstrates that even rigorous [standard operating procedures], hardware wallets, simulation tools like Tenderly, and careful human review can be circumvented by highly advanced threat actors," the team behind the platform warned in the report, co-authored by the cybersecurity firm Mandiant.
Here’s how Radiant Capital claims it was tricked by a hacker pretending to be an ex-contractor.
The team said they were contacted by someone pretending to be their trusted former contractor in September. The hacker also sent a zipped PDF with relevant information about his work that didn’t raise any suspicions at the time. Moreover, the attacker faked the real contractor's legitimate website. However, it was only after the hack that they realized the message was sent from North Korea and the ZIP file contained malware that allowed the hackers to steal millions.
The malware, INLETDRIFT, established a macOS backdoor and employed a malicious AppleScript to communicate with the domain atokyonews[.]com.
This allowed the front-end interfaces to display benign transaction data while malicious transactions were signed in the background.
"Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages," the report stressed.
Three minutes after the theft on October 16, the hacker removed traces of their second-stage backdoor and related browser extensions.
With "high confidence," Mandiant attributes the attack to the UNC4736 group, also known as AppleJeus or Citrine Sleet, which has ties to North Korea's Reconnaissance General Bureau and Temp.hermit, a North Korean cyber espionage group. These findings were also confirmed by another crytpoasset security firm, zeroShadow, that also urged Radiant Capital users to revoke permissions for the hacked contracts.
In 2024, the crypto asset industry raised multiple alarms about increasingly sophisticated attacks by North Korean hackers pretending to be legitimate contractors.
"As the DeFi industry grows, it must evolve beyond superficial checks and towards robust, device-level transparency to protect against increasingly sophisticated attacks," Radiant Capital concluded as it collaborates with law enforcement and blockchain security specialists to freeze the stolen funds.