Credential theft
Radiant Capital DeFi Hack
Primary Source ↗Incident Details
On 16 October 2024, attackers executed transferOwnership on Radiant Capital’s Pool Provider contract using 3 collected malicious signatures, gaining control of all lending pool contracts on BSC and Arbitrum. $50 million drained. Initial compromise began 11 September 2024 via Telegram message to a developer. Mandiant attributed to UNC4736, a Lazarus Group sub-cluster aligned with North Korea’s Reconnaissance General Bureau.
Technical Details
- Initial Attack Vector
- North Korean UNC4736 (Citrine Sleet/Lazarus sub-group) delivered InletDrift malware via malicious PDF on Telegram, posing as a trusted ex-contractor; malware compromised at least 3 developer hardware wallets by replacing Safe Wallet front-end display while submitting malicious transactions for signing
- Vendor / Product
- Safe Wallet (multi-sig infrastructure)
- Malware Family
- InletDrift
Timeline
- 2024-10-16 Breach occurred
- 2024-10-16 Publicly disclosed
- 2024-10-17 Customers notified