DeFi protocol Radiant Capital has awarded a 50 million dollars exploited suffered in October to North Korean hackers.
According to a report published on December 6The attackers began laying the groundwork for the October 16 attack in mid-September, when a Telegram message from what appeared to be an old trust contract was sent to a Radiant Capital developer.
The message said the entrepreneur was looking for a new career opportunity related to smart contract auditing and was looking for feedback. It included a link to a zipped PDF file, which the developer opened and shared with other colleagues.
The message is now believed to come from a “DPRK-aligned threat actor” who was impersonating the contractor, according to the report. The file contained a piece of malware called INLETDRIFT that set up a persistent macOS backdoor while displaying a legitimate PDF to the user.
Radiant Capital said traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review phases.
Through access to computers, hackers were able to gain control of many private keys.
The North Korean link was identified by the cybersecurity company Mandiant, although the investigation is still incomplete. Mandiant said it believed the attack was orchestrated by UNC4736, a group aligned to the country’s General Reconnaissance Office. Also known as AppleJeus or Citrine Sleet.
The group has been involved in several other attacks related to cryptocurrency companies. He previously used fake crypto exchange websites to trick people into downloading malicious software through job opening links and fake wallets.
The incident followed a previously unrelated hack against Radiant Capital in January, during which it lost $4.5 million.