DPRK-linked hackers social engineered $50m Radiant Capital exploit: report

A new post-mortem from Radiant Capital alleges that a North Korean state-backed hacker was behind a $50 million exploit of the protocol.

The attacker impersonated a “trusted former contractor” of Radiant Capital to distribute malware via a “compressed PDF” file shared on messaging platform Telegram, the report said, citing findings by cybersecurity firm Mandiant.

According to Radiant Capital, the file originated from a “DPRK-compliant threat actor” believed to be UNC4736, also referred to as Citrine Sleet, and the masterminds behind the AppleJeus malware.

Leveraging the contractor’s previous relationship with the Radiant team, the attacker crafted a convincing ruse by spoofing the contractor’s legitimate domain name and sending a Telegram message asking for feedback on a new project supposedly related to smart contract auditing.

“Requests to review PDFs are a routine process in professional environments; lawyers, smart contract auditors and partners often share documents in this format,” the report said, adding that the message did not raise any suspicion and was consequently shared with other people. developers for feedback.

The zip file, which appeared to be an after-the-fact report of the Penpie attack, actually contained INLETDRIFT malware, which created a macOS backdoor that allowed the threat actor to compromise the hardware wallets of at least three Radiant developers.

During the October 16 attack, the malware manipulated the front-end interface of Safe{Wallet} (formerly Gnosis Safe), exposing legitimate transaction data to developers while malicious transactions were executing in the background.

Radiant noted that despite strict adherence to best practices such as Tenderly simulations, payload verification, and industry standard SOPs, attackers managed to compromise multiple developer devices.

“Mandiant assesses with high confidence that this attack can be attributed to a threat actor with a connection to the Democratic People’s Republic of Korea (North Korea),” the report said.

North Korean hackers stole billions of dollars of cryptocurrency

UNC4736 is believed to have ties to the Reconnaissance General Bureau of the Democratic People’s Republic of Korea and is known to target cryptocurrency-focused firms.

As previously reported by Crypto.news, earlier this year the group targeted crypto financial institutions by exploiting a zero-day vulnerability in the Chromium browser, bypassing browser security and running malicious code in the browser’s sandbox.

In September, the Federal Bureau of Investigation warned of increasingly sophisticated tactics used by North Korean hackers and indicated they were interested in targeting individuals linked to crypto exchange-traded funds.

A more recent report from researchers at the Cyberwarcon Cyber ​​Security conference revealed that North Korean hackers managed to siphon off more than $10 million in just six months by infiltrating leading companies such as IT workers and other employees.

It is claimed that approximately $3 billion stolen from the crypto industry between 2017 and 2023 by these state-backed hacking groups was used to finance North Korea’s nuclear weapons program.