Author: Stephen Katte, CoinTelegraph; Compiler: Tao Zhu, Golden Finance

Radiant Capital said that in October, its decentralized finance (DeFi) platform was hacked and the loss amounted to 50 million USD, hackers sent malware via Telegram that was carried out by a North Korea-aligned hacker posing as a former contractor.

In a Dec. 6 update on the investigation, Radiant said its contracted cybersecurity firm Mandiant had assessed "a high degree of confidence that this attack was the work of a threat actor with ties to North Korea."

The platform said that on September 11, a Radiant developer received a Telegram message containing a zip file from a "trusted former contractor" requesting information on the work they were doing. Provide feedback on planned new projects.

"Upon review, the message is suspected to have come from a North Korea-aligned threat actor posing as a former contractor," it said. "When this ZIP file was shared among other developers for feedback, it ended up spreading the malware, which enabled subsequent intrusions."

On October 16, a hacker took control of multiple signers private keys and smart contracts, causing the DeFi platform to be forced to suspend the lending market. North Korean hacking groups have long targeted cryptocurrency platforms and stole $3 billion worth of cryptocurrencies between 2017 and 2023.

Source: Radiant Capital

Radiant said the document did not raise any additional suspicion because "in the professional environment where requests for review of PDFs are common practice" and developers "frequently share documents in this format."

Domains associated with ZIP files also spoof contractors' legitimate websites.

Multiple Radiant developer devices were compromised during the attack, with the front-end interface displaying benign transaction data while malicious transactions were signed in the background.

"Traditional inspections and simulations show no significant difference, making the threat virtually invisible during the normal review phase," it added.

“The deception was so seamless that even using Radiant’s standard best practices, such as simulating transactions in Tenderly, validating payload data, and following industry-standard SOPs every step of the way, the attackers still Ability to compromise multiple developer devices," Radiant wrote.

EvilExamples of phishing PDFs that may be used by malicious hacking groups. Source: Radiant Capital

Radiant Capital believes the threat actor responsible for the case is known as "UNC4736", also known as "Citrine Sleet" - believed to be associated with North Korea's main intelligence agency, the Reconnaissance General Bureau (RGB) There is a connection and it is speculated that it is a branch of the hacker organization Lazarus Group.

Hackers moved approximately $52 million in stolen funds on October 24.

“This incident demonstrates that even strict SOPs, hardware wallets, simulation tools like Tenderly, and careful manual review can be bypassed by very advanced threat actors,” Radiant Capital said in its update wrote in.

"Reliance on blind signatures and front-end verification that can be spoofed requires the development of more robust hardware-level solutions to decode and verify transaction payloads," it added.

This is not the first time Radiant has been attacked this year. The platform suspended its lending market in January due to a $4.5 million flash loan breach.

After two exploits this year, Radiant’s total locked value dropped significantly, from more than $300 million at the end of last year to about $5.81 million on December 9, according to DefiLlama data.