Radiant Capital has revealed new findings about the $50 million hack that targeted its decentralized finance (DeFi) platform in October, attributing the attack to a North Korea-aligned hacking group.
The attackers gained access through an elaborate scheme involving malware distributed through Telegram.
$50 Million Radiant Capital DeFi Hack
The breach, first discovered on October 16, 2024, prompted Radiant to partner with cybersecurity firms such as Mandiant, zeroShadow, Hypernative, and SEAL 911 to investigate and mitigate the damage.
According to the official blog post, the attack dates back to September 11, 2024, when a Radiant developer received a Telegram message from someone posing as a former contractor. The message, designed to appear innocuous, asked for feedback on a purported career-related PDF file linked to smart contract auditing.
The sender convincingly spoofed a legitimate website, reducing suspicion. Opening the file, titled Penpie_Hacking_Analysis_Report.zip, delivered a macOS backdoor malware called INLETDRIFT. The malware communicated with an external server and appeared harmless by displaying a realistic PDF.
Despite Radiant’s adherence to rigorous security protocols, including transaction simulations and payload verifications, the malware evaded detection by manipulating front-end transaction data. Developers unknowingly signed malicious transactions, believing them to be legitimate. The attackers’ planning made the intrusion almost undetectable during routine checks.
zeroShadow, a provider of Web3 security solutions, has also corroborated Radiant Capital’s assessment that the hack was the work of actors linked to North Korea. In a statement on December 9, the platform said:
“We also attribute the Oct. 16 Radiant Capital incident to the DPRK with high confidence based on multiple indicators we’ve collected on and off-chain. We’ve tracked movements in Hyperliquid as a result of Radiant users that they did not revoke the permits, and not from the funds stolen from the initial incident.”
Radiant’s TVL is down more than 97% this year
Radiant Capital is a decentralized lending and lending protocol that integrates cross-chain capabilities through the use of LayerZero technology. DefiLlama’s latest figures put its Total Locked Value (TVL) at just over $6 million.
The October 16 hack isn’t the first time Radiant has been compromised this year. In January, a smart contract vulnerability was exploited, costing the platform $4.5 million, during which its TVL was significantly higher, exceeding $300 million, putting clearly a significant decrease in blocked assets throughout the year despite the bull run.
SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).
LIMITED OFFER for CryptoPotato readers on Bybit – Use this link to register and open a FREE $500 position with any currency!
Bitcoin 
Ethereum 
Tether 
XRP 
Solana 
BNB 
Dogecoin 
USDC 
Cardano 
Lido Staked Ether 
TRON 
Avalanche 
Chainlink 
Shiba Inu 
Toncoin 
Wrapped stETH 
Polkadot 
Sui 
Wrapped Bitcoin 
Stellar 
Hedera 
Uniswap 
Bitcoin Cash 
WETH 
Pepe 
Litecoin 
LEO Token 
NEAR Protocol 
Wrapped eETH 
Aptos 
Internet Computer 
Hyperliquid 
Ethena USDe 
Aave 
POL (ex-MATIC) 
USDS 
Ethereum Classic 
Cronos 
Render 
VeChain 
Artificial Superintelligence Alliance 
Bitget Token 
Bittensor 
Mantle 
Arbitrum 
Kaspa 
Filecoin 
MANTRA 
Algorand 
Monero