Skip to main content
Security

Radiant Capital Developers Compromised, $50 Million Drained via Malware

A sophisticated malware injection targeting core developers bypassed multi-signature security, enabling unauthorized transfer of protocol ownership and asset exfiltration.
September 29, 20253 min

A close-up view reveals a polished, silver-toned mechanical component, resembling a gear or engine part, intricately intertwined with a translucent, textured blue substance. This fluid material appears to flow and shimmer around the metallic structure, exhibiting varying depths of vivid blue and bright internal illumination
A complex, star-shaped metallic mechanism, featuring four radial arms with circular terminals, sits at the center of a luminous blue, segmented ring. Delicate, web-like frosty structures cling to the metallic components and translucent blue elements, suggesting an advanced state or intricate interconnections within a sophisticated system

Briefing

On October 16, 2024, the Radiant Capital protocol suffered a sophisticated cyberattack resulting in the loss of approximately $50 million USD from its core lending markets on Arbitrum and BNB Chain. The incident stemmed from a malware injection on the devices of at least three core developers, which enabled the manipulation of transaction data during a routine multi-signature emissions adjustment. This allowed attackers to obtain fraudulent signatures for a transferOwnership action, bypassing both front-end verification and simulation tools, ultimately leading to the unauthorized draining of assets.

Intricate blue circuit boards and metallic conduits form a detailed abstract representation of digital infrastructure. These elements visually convey the complex interconnections and data flow inherent in blockchain networks

Context

Prior to this incident, the DeFi landscape has seen a persistent rise in sophisticated social engineering and supply chain attacks targeting key personnel, often bypassing robust smart contract audits. While multi-signature schemes are designed to enhance security by requiring multiple approvals, the prevailing risk factor lies in the human element and the integrity of the signing environment. This exploit leveraged advanced device-level compromise, highlighting a critical vulnerability class where off-chain attack vectors directly undermine on-chain security controls.

A modern, white and metallic cylindrical apparatus lies partially submerged in dark blue, rippling water, actively discharging a large volume of white, powdery substance. The substance forms a significant pile both emerging from the device and spreading across the water's surface

Analysis

The attack began with a social engineering tactic on September 11, 2024, where a Radiant developer received a malicious zipped PDF via Telegram, masquerading as a former contractor’s job opportunity. This delivered INLETDRIFT malware, establishing a persistent macOS backdoor on compromised devices. During a subsequent routine multi-signature emissions adjustment, the malware manipulated the display within the Safe{Wallet} (Gnosis Safe) front-end and Tenderly simulations, presenting legitimate transaction data while simultaneously sending malicious transferOwnership transactions to hardware wallets for signing. This allowed the attackers, identified as the North Korean threat actor UNC4736, to secure the necessary three-of-eleven multi-signature approvals, seize control of the Pool Provider contract, and deploy malicious versions to drain funds from the protocol’s core markets on Arbitrum and BNB Chain.

A blue, multifaceted crystalline object is intricately intertwined with a white, frothy, web-like network of bubbles, forming a visually compelling abstract representation. This intricate arrangement symbolizes complex blockchain protocol interoperability and robust decentralized network architecture

Parameters

  • Protocol Targeted ∞ Radiant Capital
  • Date of Exploit ∞ October 16, 2024
  • Attack Vector ∞ Malware-driven device compromise and transaction spoofing
  • Financial Impact ∞ $50 Million USD
  • Affected Blockchains ∞ Arbitrum, BNB Chain
  • Threat Actor ∞ UNC4736 (North Korea-aligned)
  • Initial Compromise ∞ Social engineering via malicious zipped PDF

A sophisticated white and metallic cylindrical apparatus anchors a radiant burst of blue, translucent hexagonal crystals that extend dynamically outward. This intricate formation suggests a core processing unit actively generating or disseminating structured data elements

Outlook

Immediate mitigation for users involved revoking all approvals on Arbitrum, BSC, Ethereum, and Base. This incident underscores the critical need for enhanced security practices beyond smart contract audits, emphasizing device-level integrity and robust transaction verification mechanisms, especially when interacting with multi-signature wallets. Protocols must consider implementing stricter controls for developer environments, integrating advanced endpoint detection, and educating teams on sophisticated social engineering tactics. This event will likely accelerate the adoption of trustless transaction signing solutions and hardware-isolated signing environments to prevent similar device-level compromises from undermining on-chain security.

The Radiant Capital exploit serves as a stark reminder that even robust multi-signature schemes are vulnerable when the integrity of the signing environment is compromised by advanced malware, shifting the attack surface from smart contract logic to human and device security.

Signal Acquired from ∞ Medium.com

Micro Crypto News Feeds

malware injection

Definition ∞ Malware Injection involves the unauthorized insertion of malicious code into a legitimate software program or system.

multi-signature schemes

Definition ∞ Multi-signature schemes are cryptographic systems that require two or more private keys to authorize a transaction or access a digital asset.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

transaction spoofing

Definition ∞ Transaction Spoofing is a deceptive trading practice where an entity places a large order with the intent of canceling it before execution, aiming to manipulate market prices.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

on-chain security

Definition ∞ On-chain security refers to the measures and protocols implemented directly within a blockchain's architecture to protect the integrity, confidentiality, and availability of its data and transactions.

Tags:

Tags: