As a seasoned researcher with a keen eye for cybersecurity threats, I can’t help but feel a sense of deja vu when I read about yet another high-profile hack in the DeFi space. The fact that North Korean hacking groups are continuously evolving their tactics and tools to target cryptocurrency platforms is concerning, to say the least.
Radiant Capital announced that a cyber attack worth $50 million on their DeFi platform, which occurred in October, was initiated by a piece of malware distributed over Telegram. The attack is believed to have been orchestrated by a hacker linked to North Korea who disguised themselves as a former employee of the company.
In an update on December 6th regarding their ongoing investigation, Radiant stated that the cybersecurity company they hired, Mandiant, has concluded with strong conviction that the origin of this attack can be traced back to a cyber threat group linked to North Korea.
On September 11, the platform indicated that a Radiant developer had received a zip file via Telegram from a “reliable ex-collaborator,” who was seeking input on a fresh project they were embarking upon.
After examining the message, it appears it might have been sent by a hacker linked to North Korea posing as a previous contractor,” it was noted. “Upon sharing this ZIP file with other programmers for feedback, it unknowingly distributed malware which allowed for future cyber attacks.
1) On October 16th, the DeFi platform temporarily stopped its lending markets due to a hacker taking over multiple signers’ private keys and smart contracts.
On November 12th, North Korean cyber groups were discovered targeting macOS users through a new malware campaign that employed phishing emails, fake PDF applications, and techniques to bypass Apple’s security measures.
In the month of October, North Korean hackers had also been found exploiting a vulnerability in Google Chrome to steal cryptocurrency wallet credentials.
Radiant explained that the file didn’t raise any additional concerns since it’s common for professionals to review PDF files, as well as developers often exchanging such documents.
The domain associated with the ZIP file also spoofed the contractor’s legitimate website.
During the cyber-attack, several development devices used by Radiant developers were breached. On the surface, the front-end showed harmless transaction details, but surreptitiously, malicious transactions were being authenticated in the background.
Original: “Traditional checks and simulations showed no apparent inconsistencies, making the threat undetectable during routine assessment periods.
Radiant stated that the deception was executed so flawlessly that even with our usual precautions, like simulating transactions in Tenderly, validating payload data, and adhering to industry-standard procedures at every stage, the attackers still managed to breach several developer devices.
Radiant Capital suspects that the culprit behind the attack is identified as “UNC4736,” also recognized as “Citrine Sleet.” This group is rumored to have ties with North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB), and is believed to be a subset of the hacking group known as the Lazarus Group.
The hackers moved about $52 million of the stolen funds from the incident on Oct. 24.
This event shows that sophisticated adversaries can bypass stringent procedures, secure hardware wallets, tools such as Tenderly for simulations, and meticulous human evaluation. As Radiant Capital stated in their recent report.
The need for unverified signatures and checks at the user interface level that can be manipulated suggests the creation of more robust, hardware-based methods for deciphering and authenticating transaction data, they noted.
As an analyst, I must acknowledge that this isn’t the first time Radiant has faced a security breach this year. In January, the platform had to temporarily halt its lending markets due to a $4.5 million flash loan exploit.
As a researcher, I’ve observed a substantial decrease in Radiant’s Total Value Locked (TVL) following this year’s two exploits. At the close of last year, the TVL stood at over $300 million, but as of December 9, it has dropped to approximately $5.81 million, as reported by DefiLlama.
Read More
- GBP EUR PREDICTION
- SEI PREDICTION. SEI cryptocurrency
- HBAR PREDICTION. HBAR cryptocurrency
- CNY RUB PREDICTION
- HOOK PREDICTION. HOOK cryptocurrency
- TRB PREDICTION. TRB cryptocurrency
- MNT PREDICTION. MNT cryptocurrency
- CTXC PREDICTION. CTXC cryptocurrency
- Rumoured The Elder Scrolls 4: Oblivion Remake Dev is Working on an “Unannounced Unreal Engine 5 Remake”
- Nosferatu Director Explains Orlok’s Impressive Mustache (And It Makes Sense)
2024-12-09 05:30