Radiant Capital Hack: How Hackers Used a PDF to Steal $50 Million

The $50 million hack sent shockwaves across the defi community with funds authorized to different projects completely drained.

$50 Million Hack a Stark Warning for the Defi Industry

The complexity and precision of a recent attack on Radiant Capital, a decentralized cross-chain lending protocol built on Layerzero has exposed another layer of vulnerability, even in well-secured defi projects.

On Oct. 16, Radiant Capital suffered a breach that resulted in the theft of approximately $50 million with security experts and notable developers, such as @bantg expressing concerns about the sophistication of the attack. As @bantg noted, “this level of attack is really scary. To my knowledge, the compromised signers have followed the best practices.”

A recent incident report by Radiant Capital along with an X thread by OneKeyHQ showed a step-by-step breakdown of the hack with the report strongly linking the hack with North Korean hackers.

The attack began on Sept. 11, when a Radiant Capital developer received a Telegram message from someone impersonating a trusted former contractor. According to the message, the contractor was looking for a new job opportunity in smart contract audits. It requested comments on the contractor’s work and provided a link to a compressed PDF detailing their next assignment. The hackers even mimicked the contractor’s legitimate website to add credibility.

The zip file contained a disguised executable named INLETDRIFT. Upon opening, it installed malware on the developer’s macOS device, granting attackers access to the developer’s system. The malware was designed to communicate with a hacker-controlled server.

Tragically, the compromised file was shared with other team members for feedback, further spreading the malware. The attackers used their access to execute a man-in-the-middle (MITM) attack. While Radiant’s team relied on Gnosis Safe multisig wallets for security, the malware intercepted and manipulated transaction data. On developers’ screens, transactions appeared legitimate, but the hackers replaced them with malicious instructions targeting the ownership of lending pool contracts.

By exploiting a blind signing vulnerability in Ledger wallets, the attackers convinced developers to authorize a transfer ownership() call, giving them control of Radiant’s funds. In under three minutes, the hackers drained the funds, removed backdoors, and erased traces of their activities, leaving investigators with minimal evidence.

This attack highlighted the increasing sophistication of cyber threats such as the DMM bitcoin breach that led to the shutdown of the Japanese crypto exchange along with key learnings. One of such is that teams must shift to online collaboration tools to reduce malware risks. Downloading unverified files especially from external sources should be completely avoided.

Front-end transaction verification is crucial but vulnerable to spoofing. Projects should consider advanced verification tools and supply chain monitoring to detect tampering. Also, hardware wallets often lack detailed transaction summaries, increasing risk. Enhanced support for multi-sig transactions could mitigate this issue.

Strengthening asset governance with timelocks and governance frameworks can also contribute to delaying critical fund transfers, allowing teams to identify and respond to anomalies before assets are lost.

The Radiant Capital hack is a stark reminder of the vulnerabilities that persist even in projects adhering to best practices. As the defi ecosystem grows, so does the ingenuity of attackers. Industry-wide vigilance, stronger security protocols, and robust asset governance are essential to prevent such incidents in the future.

The Radiant DAO continues to support Mandiant in its investigation along with cooperation from Zeroshadow and U.S. law authorities to freeze stolen assets. Radiant has also expressed its desire to share lessons gained to help the entire industry raise security standards.

Source