Radiant Capital Incident Update

4 min read4 days ago

2024–12–06

We have an important update on the October 16, 2024 incident in which Radiant Capital was targeted by a highly sophisticated cyberattack that resulted in a loss valued at approximately $50M USD. On October 17, 2024, Radiant published a post-mortem of the attack and thereafter retained Mandiant, a leading cybersecurity firm, to assist in the investigation, particularly with on-device forensics. In parallel, the Radiant Capital DAO engaged zeroShadow and Hypernative for on-chain asset tracking and enlisted SEAL 911 for additional support.

This summary provides additional findings from Mandiant’s ongoing investigation, detailing the attacker’s advanced tactics and underscoring the urgent need for industry-wide improvements in transaction verification practices.

Incident Overview

On September 11, 2024, a Radiant developer received a Telegram message from what appeared to be a trusted former contractor. The message said that the contractor was pursuing a new career opportunity related to smart contract auditing. It included a link to a zipped PDF regarding the contractor’s new alleged endeavor and sought feedback about their work.

Requests to review PDFs are routine in professional settings — lawyers, smart contract auditors, and partners frequently share documents in this format. Given the normalcy of these interactions, and that it came from a former contractor, the file aroused no initial suspicion and was shared with other developers for feedback. In addition, the domain associated with the ZIP file convincingly spoofed the contractor’s legitimate website, further reducing suspicion.

Upon review, this message is suspected to have originated from a DPRK-aligned threat actor impersonating the former contractor. This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion.

Within the ZIP file, the attackers delivered a sophisticated piece of malware — INLETDRIFT — contained within Penpie_Hacking_Analysis_Report.zip. It established a persistent macOS backdoor while displaying a legitimate-looking PDF to the user. It employed a malicious AppleScript to communicate with the domain atokyonews[.]com.

This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices. The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.

Overview of Penpie_Hacking_Analysis_Report.zip containing INLETDRIFT

File

Penpie_Hacking_Analysis_Report.zip/Penpie_Hacking_Analysis_Report/Penpie_Hacking_Analysis_Report.app/Contents/Resources/Scripts/main.scpt

MD5

FF15427D45B84E79B2E81199613041BB

Dir Tree

Penpie_Hacking_Analysis_Report.zip
├── Penpie_Hacking_Analysis_Report.app
│   ├── Contents
│   │   ├── CodeResources
│   │   ├── _CodeSignature
│   │   │   └── CodeResources 
│   │   ├── Info.plist
│   │   ├── MacOS
│   │   │   └── applet
│   │   ├── PkgInfo
│   │   └── Resources
│   │       ├── applet.icns
│   │       ├── applet.rsrc
│   │       ├── description.rtfd
│   │       │   └── TXT.rtf
│   │       └── Scripts
│   │           └── **main.scpt**
│   └── Icon\015  
└── solidity
    ├── BaseRewardPoolV2.sol
    ├── PendleStakingBaseUpg.sol
    ├── PendleStaking.sol
    └── PenpieReceiptToken.sol

App Display Name

com.atokyo.News

Network

hxxps://atokyonews[.]com/CloudCheck.php

Persistence

LaunchDaemons/com.apple.systemextensions.cache.plist

Decoy

Display a legitimate PDF to user after launching, as follows:

Figure 1 — Penpie_Hacking_Analysis_Report.zip containing INLETDRIFT — Decoy PDF as part of Penpie_Hacking_Analysis_Report.zip

In the weeks before the heist, the attackers meticulously staged malicious smart contracts across Arbitrum, Binance Smart Chain, Base, and Ethereum, as detailed in the earlier post-mortem. Three minutes after executing the theft on October 16, 2024, they quickly removed traces of their second-stage backdoor and related browser extensions.

Mandiant attributes this attack to UNC4736, commonly referred to as AppleJeus or Citrine Sleet. Mandiant assesses with high-confidence that UNC4736 has a Democratic People’s Republic of Korea (DPRK) nexus. Specifically, this group is aligned with DPRK’s Reconnaissance General Bureau (RGB) and has close ties with TEMP.Hermit.

Although the investigation is ongoing, Mandiant assesses with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.

Broader Industry Implications

This incident demonstrates that even rigorous SOPs, hardware wallets, simulation tools like Tenderly, and careful human review can be circumvented by highly advanced threat actors. The reliance on blind signing and front-end verifications that can be spoofed demands the development of stronger, hardware-level solutions for decoding and validating transaction payloads.

As the DeFi industry grows, it must evolve beyond superficial checks and towards robust, device-level transparency to protect against increasingly sophisticated attacks.

Next Steps

In addition to working with Mandiant, the Radiant DAO continues close collaboration with U.S. law enforcement and zeroShadow to freeze stolen assets. Radiant remains available 24/7 to assist the respective agencies working to recover the stolen funds, and is committed to sharing lessons learned to help the entire industry improve security standards.