Hacker attack on Radiant Capital

In October 2024, the decentralized finance platform Radiant Capital fell victim to a major hack, resulting in the theft of $50 million. It was later revealed that the attack was carried out by a group linked to North Korea. The hackers used a sophisticated scheme to bypass the system’s security and withdraw funds.

On September 11, a developer at Radiant received a zip file via Telegram from an apparently trusted contractor, asking for a review of the project. The file raised no suspicions but turned out to be infected with malware, leading to a successful breach and the spread of the threat among employees.

How did the attackers bypass security?

The hackers signed malicious transactions in the background while the interfaces displayed only regular operations. Standard checks, including Tenderly and hardware wallets, did not detect any anomalies. The scammers used a fake domain, copying the contractor’s website, to hide their tracks.

Impact on system security

Radiant Capital reported that the attack was carried out by the hacker group UNC4736, also known as Citrine Sleet, which is linked to North Korea's RGB agency. This group has been actively targeting cryptocurrency platforms, stealing billions of dollars.

On October 24, the hackers managed to withdraw around $52 million that was seized during the attack. “The incident shows that even with strict security measures, experienced hackers can bypass them,” Radiant Capital stated.

What can be improved in DeFi security?

Radiant Capital emphasized the need to revise security standards in DeFi. The company stated that the forgery of external checks and signatures requires the development of more robust solutions for transaction verification and security enhancement.

This is the second major incident for the platform in 2024. In January, it suspended its lending markets after a $4.5 million hack. After two attacks, the system's blocked value has decreased from $300 million to $5.81 million as of December 9.