North Korean State-Backed Hacker Responsible for $50 Million Protocol Exploit
A recent postmortem report by Radiant Capital has revealed that a North Korean state-backed hacker orchestrated the $50 million exploit of the protocol.
The hacker, identified as a member of the DPRK-aligned threat actor UNC4736, also known as Citrine Sleet and associated with the AppleJeus malware, utilized sophisticated tactics to carry out the attack.
The attack began with the impersonation of a trusted former contractor of Radiant Capital. The hacker sent a zipped PDF file via Telegram, posing as the contractor and requesting feedback on a new project related to smart contract auditing. The file, which was actually a malware-infected document, was shared with other developers at Radiant Capital for review.
Unbeknownst to the developers, the file contained the INLETDRIFT malware, which created a macOS backdoor allowing the threat actor to compromise the hardware wallets of three Radiant developers. The malware manipulated the front-end interface of Safe{Wallet}, displaying legitimate transaction data while executing malicious transactions in the background during the October 16 attack.
Despite Radiant Capital’s adherence to security best practices, including Tenderly simulations and payload verification, the attackers successfully compromised multiple developer devices. Mandiant, a cybersecurity firm, confirmed with high confidence that the attack was carried out by a DPRK-nexus threat actor.
North Korean Hackers Targeting Crypto Sector
UNC4736, with ties to the Democratic People’s Republic of Korea’s Reconnaissance General Bureau, has a history of targeting cryptocurrency-focused firms. The group previously exploited a zero-day vulnerability in the Chromium browser to target crypto financial institutions.
Recent reports have highlighted the complex tactics employed by North Korean hackers, with a focus on individuals associated with crypto exchange-traded funds. At the Cyberwarcon Cybersecurity conference, researchers revealed that North Korean hackers had siphoned over $10 million in just six months by infiltrating companies under the guise of IT workers.
It is estimated that state-backed hacking groups from North Korea have stolen approximately $3 billion from the crypto sector between 2017 and 2023. These illicit funds are believed to be used to finance North Korea’s nuclear weapons program.