In summary
- North Korean hackers stole $50 million from Radiant Capital in a sophisticated malware attack disguised as a .ZIP file.
- The malware created a backdoor into macOS while displaying a legitimate PDF to avoid detection.
- The attackers bypassed security measures and compromised multiple developer devices in the process.
Hackers from the Democratic People’s Republic of Korea (DPRK)—commonly known as North Korea—are responsible for the recent hack of Radiant Capital, the firm claims.
In mid-October, decentralized finance (DeFi) protocol Radiant Capital lost approximately $50 million in what the team described as “one of the most sophisticated hacks ever recorded in DeFi.”
Now, in a more recent update, Radiant Capital’s contracted cybersecurity firm, Mandiant, “assesses with high confidence that this attack is attributable to a threat actor linked to the Democratic People’s Republic of Korea (DPRK).”
Recounting the events, the statement explains that when a developer was contacted by a “trusted former contractor” in early September, it was actually a DPRK actor in disguise. The imposter shared a .zip file under the pretext of asking for feedback on a new project they were working on.
“This .ZIP file, when shared for feedback among other developers, ultimately delivered the malware that facilitated the subsequent intrusion,” they explain during the reconstruction of the events. The malware in question was reported as sophisticated. Established a permanent backdoor on macOS while displaying a legitimate PDF to the user to avoid detection.
The payload was a malicious AppleScript that led the system to communicate with an innocent-looking domain name, according to the team. Hackers were also able to leverage malware to bypass security measures implemented by web3 infrastructure provider Tenderly.
“This deception was carried out so perfectly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry standard operating procedures at every step, the attackers also compromised multiple developer devices,” the statement explains.
In the statement explaining how Tenderly acted on the hacked devices, it is detailed that “frontend interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional verifications and simulations showed no obvious discrepancies, making the threat virtually invisible during normal stages of review.”
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
For the Latest Crypto News, Follow ©KeynoteUSA on Twitter Or Google News.
Disclaimer: Please note that the information provided on this page is for News purposes only and should not be considered investment or trading advice. ©Crypto.keynoteusa.com strongly recommends that you conduct independent research and/or consult with a qualified professional before making any investment decisions.
