The DeFi platform stated that the attack was carried out through malware sent via Telegram.

Radiant announced in a statement on December 6 that Mandiant, the contracted cybersecurity firm regarding the ongoing investigation, “concluded with high confidence that this attack was attributable to a threat actor affiliated with the Democratic People’s Republic of Korea (DPRK).”

The platform reported that a Radiant developer received a Telegram message from a former contractor on September 11 containing a ZIP file containing a new initiative on which feedback was sought.

“This message is suspected to have originated from a DPRK-affiliated threat actor impersonating the former contractor,” it said. “When this ZIP file was shared with other developers for feedback, it transmitted the malware that subsequently caused the interference.”

On October 16, the DeFi platform was forced to shut down credit markets after hackers gained access to private keys and smart contracts of several signatories. North Korean hacker groups stole more than $3 billion in crypto by attacking crypto platforms between 2017 and 2023.

Radiant said the file does not raise suspicion because “PDF review requests are routine in professional environments” and that “it is common practice for developers to share documents in this format.”

The domain name linked to the ZIP file also spoofed the contractor’s actual website.

Multiple Radiant developer devices were compromised during the attack, displaying innocent transaction data on front-end interfaces while malicious transactions were signed in the background.

“Conventional checks and simulations performed showed no significant inconsistencies, resulting in the threat being almost invisible during normal investigation stages,” he added.

“This scam was executed so seamlessly that despite Radiant’s standard best practices, such as running transaction simulations in Tenderly, validating payload data, and following industry-standard procedures at every step, attackers were able to compromise multiple developer devices,” Radiant said. ” he expressed.

Radiant Capital said the threat actor responsible is an entity known as “UNC4736”, also known as “Citrine Sleet”, which is affiliated with the Reconnaissance General Bureau (RGB), North Korea’s main intelligence agency. It is stated that this group may be a subset of the Lazarus Group.

The $52 million stolen from the attack was moved on October 24.

Radiant Capital added the following statement in its update: “This incident demonstrates how rigorous SOPs, hardware wallets, simulation tools like Tenderly, and careful human review can be bypassed by highly advanced threat actors.”

He also added that “more robust solutions need to be developed at the hardware level for decoding and verifying processing payloads.”

It was stated that Radiant was also attacked at the beginning of this year. The platform shut down credit markets after a $4.5 million flash loan fraud in January.

Following these two exploits, Radiant’s total locked value dropped from over $300 million at the end of last year to approximately $5.81 million as of December 9.