In a daring cyber heist, hackers with ties to North Korea orchestrated a $50 million theft from Radiant Capital by masquerading as a “trusted former contractor.” They cleverly distributed malware through a “zipped PDF” file over the Telegram messaging platform, according to insights from the cybersecurity firm Mandiant. Radiant Capital identified the culprits as a DPRK-aligned cyber group, possibly UNC4736 or Citrine Sleet, known for the notorious AppleJeus malware.
The fraudsters exploited their assumed identity of the former contractor, creating a believable façade by mimicking the contractor’s genuine domain. They sent a Telegram message asking for feedback on a purported new project concerning smart contract auditing. The request seemed ordinary, as professionals often exchange PDFs for review. Consequently, the message, perceived as benign, was circulated among developers for their input.
However, the seemingly harmless zip file, presented as an after-incident report on the Penpie exploit, harbored the INLETDRIFT malware. This malware engineered a macOS backdoor, compromising the hardware wallets of at least three Radiant developers. During the assault on October 16, the malware tampered with the Safe{Wallet} interface, misleading developers with authentic transaction data while clandestinely executing malicious transactions.
Despite Radiant’s rigorous security measures, including Tenderly simulations and payload verification, the attackers successfully breached multiple developer devices. Mandiant has expressed “high confidence” that this attack traces back to a DPRK-nexus threat actor.
UNC4736, linked to North Korea’s Reconnaissance General Bureau, has a history of targeting the cryptocurrency sector. Notably, they have exploited vulnerabilities in the Chromium browser to conduct attacks and have shown a growing interest in crypto exchange-traded funds, as highlighted by the FBI.Recent findings presented at the Cyberwarcon Cybersecurity conference reveal that North Korean hackers have extracted over $10 million in six months by infiltrating companies under the guise of IT workers. Between 2017 and 2023, these state-supported hacking operations have allegedly pilfered approximately 3 billion from the crypto industry, funds purportedly funneled into North Korea’s nuclear ambitions.
