A new postmortem report from Radiant Capital claims a North Korean state-backed hacker was behind the $50 million exploit of the protocol.
The attacker impersonated a “trusted former contractor” of Radiant Capital to deploy malware via a “zipped PDF” file shared across the messaging platform Telegram, the report noted, citing findings by cybersecurity firm Mandiant.
According to Radiant Capital, the file originated from a “DPRK-aligned threat actor” believed to be UNC4736, also referred to as Citrine Sleet, and the masterminds behind the AppleJeus malware.
Leveraging the contractor’s prior relationship with Radiant’s team, the attacker crafted a convincing ruse by spoofing the contractor’s legitimate domain and sending a Telegram message requesting feedback on a supposed new project related to smart contract auditing.
“Requests to review PDFs are routine in professional settings — lawyers, smart contract auditors, and partners frequently share documents in this format,“ the report noted, adding that the message did not raise any suspicions and, as a result, was shared with other developers for feedback.
The zip file, which appeared to be an after-incident report of the Penpie exploit, actually contained the INLETDRIFT malware, which created a macOS backdoor that allowed the threat actor to compromise the hardware wallets of at least three Radiant developers.
During the Oct. 16 attack, the malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while the malicious transactions were executed in the background.
Radiant noted that despite strict adherence to best practices like Tenderly simulations, payload verification, and industry-standard SOPs, the attackers managed to compromise multiple developer devices.
“Mandiant assesses with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor,” the report added.
North Korean hackers stole billions in crypto
UNC4736 is believed to have ties with the Democratic People’s Republic of Korea’s Reconnaissance General Bureau and has been known to target cryptocurrency-focused firms.
As previously reported by crypto.news, earlier this year, the group targeted crypto financial institutions by exploiting a zero-day vulnerability in the Chromium browser to bypass browser security and execute malicious code within the browser’s sandbox.
In September, the Federal Bureau of Investigation warned of the increasingly complex tactics used by North Korean hackers, noting they had taken an interest in targeting individuals linked to crypto exchange-traded funds.
A more recent report from researchers at the Cyberwarcon Cybersecurity conference found that North Korean hackers managed to siphon over $10 million in just six months by infiltrating prominent companies as IT workers and other employees.
The roughly $3 billion stolen from the crypto sector by these state-backed hacking groups between 2017 and 2023 is allegedly used to finance North Korea’s nuclear weapons program.
