Radiant Capital Loses $50 Million Following a Highly Sophisticated Hack Involving PDFs
Two Months Later, Radiant Capital Uncovers the Intricacies of Their $50 Million Hack and Lessons for the DeFi Ecosystem"
On October 16, Radiant Capital, a decentralized cross-chain lending protocol built on LayerZero, suffered a hack that resulted in losing about $50 million of its digital assets. The attackers, now believed to be North Korean-sponsored hackers, leveraged highly sophisticated techniques to infiltrate the platform’s systems.
Recently Radiant Capital published a detailed post-mortem in collaboration with Mandiant and other security firms explaining how the breach exposed glaring vulnerabilities in the DeFi ecosystem and the lessons learnt.
Step-by-Step Execution of Radiant Capital Attack
The incident began on September 11, 2024, when a Radiant Capital developer received a Telegram message from someone claiming to be an external contractor. The message appeared credible and friendly: the sender shared a zip file containing a supposed project audit report and requested feedback.
The attackers took extra steps to enhance their legitimacy, using a domain name identical to the real contractor’s website. However, given the popular nature of file sharing in the crypto space, the developer trusted the request and downloaded the file.
Upon extracting the zip file, the developer encountered what appeared to be a normal PDF document. However, in reality, the PDF was tampered with, hiding a malware named INLETDRIFT. Once the developer opened the disguised file, INLETDRIFT installed a backdoor on their macOS device and began communicating with the hackers’ command server.
The developer, unbeknownst to him unknowingly began sharing the file to other team members, further spreading the malware and worsening its impact. This in turn allowed the hackers to infiltrate multiple systems within the network and expand their control.
After establishing control, the attackers executed a sophisticated man-in-the-middle (MITM) attack. They intercepted transaction requests on infected devices and manipulated the data displayed on Radiant’s front-end interface.
Malware Attacks Gained Ownership
While the developers initiated what appeared to be a legitimate multisig transaction using Gnosis Safe and Ledger hardware wallets, the malware silently replaced the instructions. Instead of the normal routine, the attackers injected a transfer ownership () call, which handed over control of Radiant Capital’s lending pool contracts to them.
With ownership secured, the hackers then drained user-authorized funds from the lending pools, completing the theft within moments.
Finally, within just three minutes of draining the funds, the hackers completely wiped all traces of their activity. They removed backdoors, browser extensions, and other traces from compromised systems making it difficult for security teams to trace the attack.
