Radiant Capital Says DPRK Actor Posed as Ex-Contractor to Pull Off $50 Million Hack

Hackers from the Democratic People’s Republic of Korea (DPRK)—commonly known as North Korea—are responsible for the recent Radiant Capital hack, the firm claims.

In mid-October, decentralized finance (DeFi) protocol Radiant Capital lost about $50 million to what the team described as “one of the most sophisticated hacks ever recorded in DeFi.”

Now, in a more recent update, Radiant Capital’s contracted cybersecurity firm Mandiant “assesses with high confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”

Recounting the events, the post explains that when a developer was contacted by a “trusted former contractor” in early September, it was a DPRK actor in disguise. The impersonator shared a zip file under the guise of asking for feedback on a new project they were working on.

“This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion,” reads the reconstruction of the events. The malware in question was reportedly sophisticated. It established a permanent macOS backdoor while still displaying a legitimate PDF to the user to avoid detection.

The payload was a malicious AppleScript that led the system to communicate with an innocent-sounding domain name, the team said. The hackers were also able to leverage the malware to bypass the security measures put in place by web3 infrastructure provider Tenderly.

“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers also compromised multiple developer devices,” the post explains.

Explaining how Tenderly acted on the hacked devices, the post explains that “the front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”

Edited by Stacy Elliott.