Radiant Capital has attributed a $50 million cryptocurrency theft to North Korean hackers following an October 16 security breach. This investigation, supported by cybersecurity firm Mandiant, links the attack to a group known as Citrine Sleet, also referred to as UNC4736 or "AppleJeus," which is reportedly affiliated with the North Korean state.

Detailed Attack Overview

Radiant Capital, a decentralized finance (DeFi) platform integral to blockchain operations, revealed that the breach was executed using highly sophisticated malware. This malware targeted three trusted developers by compromising their devices, enabling hackers to siphon funds from the Arbitrum and Binance Smart Chain markets. These unauthorized transactions involved exploiting the standard multi-signature process by capturing legitimate signatures under the guise of transaction errors. Despite robust hardware wallet security and multiple verification layers, the intrusion remained undetected through manual and simulated transaction checks, underscoring the attackers' expertise.

Initial Point of Compromise

The attack strategy was initiated on September 11, 2024, when a Radiant developer received a bogus Telegram message mimicking a former contractor. This message led to the download of a malicious ZIP file, containing a deceptive PDF and a macOS malware payload dubbed 'InletDrift.' This malware installed a backdoor on the victim's system, facilitating the subsequent breach.

Unseen Sophistication

Radiant Capital described the operation as exceptionally seamless, bypassing all established security protocols. These included transaction simulations using Tenderly and thorough verification of payload data, with standard operational procedures adhered to at each stage. Hackers managed to display innocuous transaction data on front-end interfaces while malicious activities transpired unnoticed, evading detection even during routine evaluations.

Broader Implications and Ongoing Efforts

Mandiant's high-confidence assessment identifies the perpetrators as UNC4736, the same threat group known for exploiting a zero-day vulnerability in Google Chrome earlier this year. Radiant emphasizes the urgent requirement for enhanced device-level security solutions to protect transaction integrity moving forward. Efforts to recover the stolen funds are ongoing, with Radiant collaborating closely with U.S. law enforcement and zeroShadow to pursue any possible reclamation of assets.

The link has been copied!