Hackers gained access to a developer’s computer by posing as a former contractor.

Dec 9, 2024, 9:41 a.m. UTC

DeFi protocol Radiant Capital has attributed a $50 million exploit it suffered in October to North Korean hackers.

According to a report published on Dec. 6, the attackers started laying the groundwork for the Oct. 16 attack in mid-September, when a Telegram message from what appeared to be a trusted former contractor was sent to a Radiant Capital developer.

The message said the contractor was pursuing a new career opportunity related to smart contract auditing and was seeking feedback. It included a link to a zipped PDF file, which the developer opened and shared with other colleagues.

The message is now believed to have come from a “DPRK-aligned threat actor” who was impersonating the contractor, according to the report. The file contained a piece of malware called INLETDRIFT that established a persistent macOS backdoor while displaying a legitimate-looking PDF to the user.

Radiant Capital said that traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.

Through access to the computers, the hackers were able to gain control of several private keys.

The North Korean link was identified by cybersecurity firm Mandiant, although the investigation is still incomplete. Mandiant said it believes the attack was orchestrated by UNC4736, a group aligned to the country’s Reconnaissance General Bureau. It is also known as AppleJeus or Citrine Sleet.

The group has been implicated in several other attacks linked to cryptocurrency companies. It has previously used fake crypto exchange websites to trick people into downloading malicious software through links to job openings and fake wallets.

The incident followed an earlier unrelated hack against Radiant Capital in January, during which it lost $4.5 million.