Radiant Capital Revealed October Hack Orchestrated by North Korean Hacker

Radiant Capital has revealed that a $50 million hack in October was orchestrated by a North Korea-aligned threat actor who used malware delivered via Telegram, impersonating a former contractor.

In a 6 December update, the platform shared findings from cybersecurity firm Mandiant, which attributed the attack with "high confidence" to a Democratic People's Republic of Korea (DPRK)-linked group.

The incident began on 11 September, when a Radiant developer received a Telegram message from a "trusted former contractor" asking for feedback on a project.

The message included a zip file that appeared routine but contained malware.

It stated:

“Upon review, this message is suspected to have originated from a DPRK-aligned threat actor impersonating the former contractor. This ZIP file, when shared for feedback among other developers, ultimately delivered malware that facilitated the subsequent intrusion.”

By 16 October, the attacker had gained control of several private keys and smart contracts, forcing Radiant to halt its lending markets.

The hackers disguised malicious transactions by manipulating front-end interfaces to show legitimate data, while executing unauthorised transfers in the background.

It added:

“Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”

Radiant pointed out:

“This deception was carried out so seamlessly that even with Radiant's standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices.”

The responsible entity, known as "UNC4736" or "Citrine Sleet," is linked to North Korea's Reconnaissance General Bureau and may operate as a sub-cluster of the notorious Lazarus Group.

The attackers moved approximately $52 million of the stolen funds by 24 October.

North Korean hacking groups have long targeted crypto platforms, stealing an estimated $3 billion between 2017 and 2023.

Radiant emphasized that the zip file seemed credible due to its professional context, and the spoofed domain closely mimicked the contractor's legitimate website, enabling the attack to bypass initial suspicion.

It updated:

“This incident demonstrates that even rigorous SOPs, hardware wallets, simulation tools like Tenderly, and careful human review can be circumvented by highly advanced threat actors.”