-
Radiant Capital has suffered a $50M loss due to a cyberattack that was attributed to a group linked to the DPRK, UNC4736.
-
The attackers used sophisticated malware to bypass security protocols.
-
This incident highlights the critical vulnerabilities in DeFi Security, and urges the adoption of hardware level transaction verification throughout the industry.
Radiant Capital confirmed new findings regarding the $50 million cyberattack that it suffered on 16 October 2024. A cybersecurity firm called Mandiant conducted an investigation that identified the attackers to be UNC4736. This is a North Korea-linked group of threat actors connected to the nation’s Reconnaissance General Bureau.
Cyberattacks on decentralized finance (DeFi) are becoming more sophisticated, indicating the urgent need to strengthen security measures within the industry.
How the attack unfolded
The attack began on September 11, 2024 when a Radiant developer, posing as an ex-contractor, sent a Telegram message that appeared to be normal. The message contained a ZIP file that supposedly showcased the contractor’s work on smart contract auditing. It contained a sophisticated malware known as INLETDRIFT.
This malware, disguised in a PDF file, installed a macOS backdoor and connected the victim’s computer to an external domain controlled the attackers. UNC4736 meticulously planned the heist and deployed malicious smart contracts on Arbitrum, Binance Smart Chain Base, and Ethereum over the following weeks.
The attackers used vulnerabilities found in the front-end interfaces, despite Radiant following standard security protocols such as transaction simulations with Tenderly and payment verification. The hackers were well-hidden by the time the theft occurred, making detection difficult.
Attribution and Tactics
UNC4736 is a well known threat group that has been linked to DPRK’s TEMP.Hermit. The group is primarily focused on cyber financial crimes and uses highly advanced social engineering techniques for infiltration of systems. Mandiant is confident in attributing this attack to this group, due to their use of state level tactics.
The funds were transferred within minutes after the theft and all traces were removed of the malware and browser extensions that were used during the attack.
DeFi Security: A Wake-up Call
This breach highlights the weaknesses in current DeFi security, especially the reliance on blind signatures and front-end transactions verifications. Radiant Capital has called on the industry to shift towards hardware-level verification in order to prevent similar incidents.
Radiant DAO works with Mandiant zeroShadow Hypernative and U.S. Law Enforcement to track down and recover the stolen funds. The organization will continue its efforts and share its findings in order to improve security standards across the crypto ecosystem.
This site is for entertainment only. Click here to read more