December 10, 2024 at 05:00AM
Radiant Capital was targeted by a North Korean threat actor in a $50 million heist on October 16. Malware infected developers’ devices, enabling fraudulent transactions during normal operations. The attack, linked to group UNC4736, started in September through a deceptive Telegram message and exploited various blockchain platforms before erasing evidence.
### Meeting Takeaways: Radiant Capital Heist Incident
1. **Attack Overview**: A North Korean threat actor was responsible for a $50 million heist at Radiant Capital on October 16, attributed to malware infection affecting developers’ devices.
2. **Attack Methodology**:
– Initial infection occurred in September via a malicious Telegram message appearing to come from a trusted contractor, containing a zipped PDF.
– Several devices were infected with the sophisticated backdoor malware named Inletdrift, allowing fraudulent transactions during a multi-signature emissions adjustment process.
3. **Fraud Execution**:
– Malicious transactions were able to bypass traditional security checks, as front-end interfaces displayed legitimate data while executing fraudulent actions in the background.
– The attackers drained approximately $50 million from core markets and exploited open approvals to withdraw from user accounts.
4. **Investigation Findings**:
– Mandiant investigated the incident and attributed it to a recognized North Korean threat group (UNC4736), also known as AppleJeus or Citrine Sleet, associated with the Reconnaissance General Bureau (RGB).
– There is high confidence in the link to DPRK-nexus threat actors.
5. **Post-Incident Actions**:
– Following the attack, the hackers eradicated traces of their activities, including the backdoor and browser extensions used during the operation.
6. **Future Implications**: The incident highlights vulnerabilities in decentralized finance systems and the need for enhanced security measures against sophisticated cyber threats.
### Additional Notes:
– Continuous monitoring and in-depth security audits are essential to prevent similar incidents in the future.
– The attack underscores the importance of user education on cybersecurity threats, particularly relating to unsolicited messages and file downloads.