Back in October 2024, when Radiant Capital confirmed it had been hacked for over $50 million, it sounded like another classic DeFi exploit. But what happened wasn’t just another smart contract bug or sloppy coding. Now, months later, we finally get the full picture.
Read more: Radiant Capital Hacked: $50M Lost in Arbitrum and BSC Attack
It all started with a message. On September 11, a Radiant developer received a Telegram DM from someone they believed was a former contractor. Inside was a zip file – a request for feedback on a “new project”. Unfortunately, it wasn’t a former colleague – it was a hacker tied to North Korea. And the zip file carried malware so advanced it fooled every security measure the team had in place.
Table of Contents
The Malware That Fooled Everyone
What’s shocking is how professional the attack was. The malware, once opened, quietly spread across devices used by Radiant’s core developers. These weren’t amateurs using outdated software either – we’re talking about experienced devs using hardware wallets and following best practices, including simulation tools like Tenderly.
Even with all that, the attackers managed to manipulate what the developers saw. On the surface, every transaction looked clean. No odd contract calls. No strange token movements. Everything passed simulations and manual checks. But behind the scenes, those transactions were altered, gathering signatures for malicious actions.
The trick was subtle. Transactions kept failing – or at least appeared to. That’s not rare in crypto. Gas fees fluctuate, RPCs get overloaded, wallets misbehave. So the devs did what anyone would do: re-sign and resend. Each time, unknowingly giving hackers exactly what they needed.
The Attack: Quiet, Calculated, and Deadly
The attackers used these signatures to quietly gain control over Radiant’s core contracts on Arbitrum and Binance Smart Chain. Once in control, they didn’t waste time. $50 million was drained across both networks in a matter of minutes. By the time the team realized something was wrong, it was already too late.
To make things worse, the hackers also took advantage of open approvals to pull funds from user wallets. Radiant had to pause its lending markets and warn users to revoke approvals on every supported chain, not just Arbitrum and BSC, but also Ethereum and Base.
The whole incident was devastating not only because of the amount stolen, but because of how quietly it happened – right under the noses of a team that wasn’t being careless at all.
Who Was Behind It?
According to cybersecurity firm Mandiant, the hack has now been linked to a North Korean group known as “UNC4736” or “Citrine Sleet” – likely a sub-group of the infamous Lazarus Group. They didn’t brute-force their way in. They earned the trust of their targets, impersonated a known developer, crafted a fake domain that looked exactly like the real one, and patiently waited for someone to open the wrong file.
Once the malware was in, it used clever tricks on macOS systems – even spoofing PDF previews – and then hijacked the transaction approval process. The team didn’t even notice because the malware operated in the background, while showing the devs something completely different on their screen.
This wasn’t just some quick smash-and-grab. It was a calculated, months-long operation designed to bypass everything that’s supposed to keep DeFi safe.
Can This Even Be Prevented?
Radiant’s team has since made major security changes – fresh cold wallets, fewer signers, extra verification steps using raw transaction data, and timelocks for key operations. But none of that would’ve stopped this attack once the malware was already inside.
That’s the tough part. The breach could have been avoided entirely if the malicious file hadn’t been opened in the first place. But once the malware was in, all the usual safeguards – simulations, hardware wallets, multi-sigs – weren’t enough. The attackers had already bypassed the walls before anyone knew there was a breach.
A $50 Million Lesson
Radiant’s token. RDNT is now trading at just 2.6 cents – down over 90% from its highs last year. It’s hard to see a project recover from something like this, especially when it’s not its first breach. Earlier in 2024, Radiant also suffered a $4.5 million flash loan exploit.
The protocol’s market cap fell from nearly $200 million to its current $32 million. That kind of collapse doesn’t just reflect a drop in investor confidence – it shows that users have stopped trusting the platform altogether.
Read also: The Ultimate Way to Protect Your Online Accounts from Hackers
