jakiro
Author: Stephen Katte, Cointelegraph; Compilation: Tao Zhu, Bitchain Vision Realm
Radiant Capital said,In October, its decentralized finance (DEFI) platform was attacked by hackers with a loss of 50 million US dollars. Hackers sent malware through Telegram. The malware was implemented by a hacker who alliance with North Korea.
Radiant stated in the survey update on December 6 that Mandiant, a network security company signed, has evaluated “highly convinced that this attack is done by threat actors connected with North Korea.”
The platform stated that on September 11, a developer of Radiant received a Telegram message containing a ZIP file from a “trusted former contractor” and asked to provide feedback to the new projects they were planned.
“After review, the news was suspected of coming from a threat actor who alliance with North Korea, posing as a former contractor,” said it.”When this ZIP file is shared between other developers to solicit feedback, malicious software finally spreads, which has led to subsequent invasion.”
On October 16, a hacker controlled the private key and smart contracts of many signatures, causing the DEFI platform to be forced to suspend the loan market.North Korea hackers have long aimed at cryptocurrency platforms for a long time, and stole a $ 3 billion cryptocurrency worth $ 3 billion from 2017 to 2023.
Source: Radiant Capital
Radiant said that the document did not cause any other doubts, because “in a professional environment, the request for reviewing PDF is a conventional practice”, and developers “often share documents in this format.”
The domain associated with the ZIP file also deceived the legal website of the contractor.
Many Radiant developer equipment is attacked during the attack, the front -end interface shows benign transaction data, and malicious transactions are signed in the background.
“Traditional inspection and simulation did not show obvious differences, making threats almost invisible during the normal review stage,” it added.
“This kind of deception is performed so seamlessly, even if the best practice of Radiant standards, such as simulation transactions in Tenderly, verifying effective load data, and following industry standards SOP, attackers can still invade multiple developer equipment equipment”Radiant wrote.
Fishing PDF examples that may be used by malicious hackers.Source: Radiant Capital
Radiant Capital believes that the threat actor in charge of the case is called “UNC4736”, also known as “CITRINE SLEET” -The believes that it is in contact with the General Administration of Investigation (RGB) of the main Intelligence Institution of North Korea, and it is speculated that the hacker Lazarus GroupA branch.
Hackers transferred about $ 52 million in stolen funds on October 24.
“This incident shows that even strict SOP, hardware wallets, Tenderly and other simulated tools and careful artificial review may be bypassed by very advanced threat actors,” Radiant Capital wrote in its update.
“The dependence requirements for blind signs and front -end verification requirements that may be deceived developed more powerful hardware -level solutions to decod and verify the effective load of transactions,” it added.
This is not the first time that Radiant has been attacked this year.The platform suspended the lending market due to the $ 4.5 million Lightning loan vulnerability in January.
According to DEFILLAMA data, after the use of vulnerabilities this year, Radiant’s total lock value dropped sharply, from more than $ 300 million at the end of last year to about $ 5.81 million on December 9.
