Radiant Capital $50M Hack Blamed On DPRK Posing As Contractor

Key Points:

• Radiant Capital $50M Hack attributed to DPRK actor posing as a contractor, exploiting disguised malware.
• Malware from Radiant Capital’s $50M Hack bypassed security checks, impacting multiple developer devices.

Radiant Capital $50M Hack tied to DPRK actor posing as ex-contractor, using malware in disguised files to breach systems in one of DeFi’s most advanced attacks.

How DPRK Carried Out the Radiant Capital $50M Hack

Radiant Capital identified a DPRK-linked actor as the source of its $50M hack. The attack began when a developer was contacted by someone impersonating a trusted former contractor. The hacker shared a zip file under the pretense of seeking project feedback, which contained sophisticated malware that breached macOS systems.

The malware created a backdoor, avoided detection by displaying legitimate PDFs, and even bypassed security tools like Tenderly. This breach allowed attackers to conduct malicious transactions while showing benign data during standard checks, leaving the team blindsided, according to Decrypt.

Read more: Radiant Capital Hack Causes Platform to Lose Over $50M

Advanced Malware Techniques Used in Radiant Capital $50M Hack

The DPRK actor’s malware exploited AppleScript to establish a covert communication channel, disguised under an innocent domain name. It bypassed critical web3 infrastructure security and simulated normal transactions, ensuring malicious actions remained hidden.

Even with Radiant Capital’s best practices in place, the attackers compromised multiple devices. The incident underscores the growing sophistication of cyber threats in DeFi, necessitating enhanced security protocols across platforms.