North Korea Hackers Steal $50 Million in Crypto

Radiant Capital Hack Exposes North Korean State-Backed Malware Threat

A recent postmortem report from Radiant Capital sheds light on a sophisticated malware attack that resulted in a $50 million exploit of the protocol. According to the report, the attack was carried out by a North Korean state-backed hacker who impersonated a trusted former contractor to deploy the malware via a zipped PDF file shared on Telegram.

How the Attack Unfolded

The attacker, believed to be part of the UNC4736 threat actor group, also known as Citrine Sleet, leveraged the contractor’s prior relationship with Radiant’s team to craft a convincing ruse. The attacker spoofed the contractor’s legitimate domain and sent a Telegram message requesting feedback on a supposed new project related to smart contract auditing. The message did not raise any suspicions, and as a result, was shared with other developers for feedback.

The zip file, which appeared to be an after-incident report of the Penpie exploit, actually contained the INLETDRIFT malware. This malware created a macOS backdoor that allowed the threat actor to compromise the hardware wallets of at least three Radiant developers.

Malware Manipulation and Best Practices

During the October 16 attack, the malware manipulated the front-end interface of Safe{Wallet} (formerly known as Gnosis Safe), displaying legitimate transaction data to the developers while the malicious transactions were executed in the background. Despite Radiant’s adherence to best practices like Tenderly simulations, payload verification, and industry-standard SOPs, the attackers managed to compromise multiple developer devices.

“Mandiant assesses with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor.”

North Korean Hackers’ Crypto Heists

UNC4736 is believed to have ties with the Democratic People’s Republic of Korea’s Reconnaissance General Bureau and has been known to target cryptocurrency-focused firms. North Korean hackers have stolen billions in crypto, with the roughly $3 billion stolen from the crypto sector between 2017 and 2023 allegedly used to finance North Korea’s nuclear weapons program.

Some key facts about North Korean hackers’ tactics include:

• Exploiting zero-day vulnerabilities in the Chromium browser to bypass browser security and execute malicious code within the browser’s sandbox.
• Infiltrating prominent companies as IT workers and other employees to siphon funds.
• Targeting individuals linked to crypto exchange-traded funds.

Stay up-to-date with the latest cryptocurrency news and insights on Global Crypto News.