Skip to main content
Security

Radiant Capital Developers Compromised, $50 Million Drained via Malware

A sophisticated malware injection targeting core developers bypassed multi-signature security, enabling unauthorized transfer of protocol ownership and asset exfiltration.
September 29, 20253 min

The image displays a sleek, translucent device with a central brushed metallic button, surrounded by a vibrant blue luminescence. The device's surface exhibits subtle reflections, highlighting its polished, futuristic design, set against a dark background
A dynamic abstract composition showcases a radiant central cluster of sharp blue and dark geometric forms, complemented by smooth white spheres and intricate white filaments. The vibrant blue core symbolizes a powerful consensus mechanism or sharding architecture, where immutable data structures are forged

Briefing

On October 16, 2024, the Radiant Capital protocol suffered a sophisticated cyberattack resulting in the loss of approximately $50 million USD from its core lending markets on Arbitrum and BNB Chain. The incident stemmed from a malware injection on the devices of at least three core developers, which enabled the manipulation of transaction data during a routine multi-signature emissions adjustment. This allowed attackers to obtain fraudulent signatures for a transferOwnership action, bypassing both front-end verification and simulation tools, ultimately leading to the unauthorized draining of assets.

A prominent white, multi-spherical and ring-shaped apparatus dominates the foreground, housing a vibrant cluster of deep blue, faceted crystalline structures. This central assembly is surrounded by an expansive, blurred background composed of countless intricate, interconnected metallic components, extending into the distance

Context

Prior to this incident, the DeFi landscape has seen a persistent rise in sophisticated social engineering and supply chain attacks targeting key personnel, often bypassing robust smart contract audits. While multi-signature schemes are designed to enhance security by requiring multiple approvals, the prevailing risk factor lies in the human element and the integrity of the signing environment. This exploit leveraged advanced device-level compromise, highlighting a critical vulnerability class where off-chain attack vectors directly undermine on-chain security controls.

A luminous blue faceted crystal stands prominently amidst soft white cloud-like textures. A translucent blue shard is partially visible on the left, also embedded in the ethereal substance

Analysis

The attack began with a social engineering tactic on September 11, 2024, where a Radiant developer received a malicious zipped PDF via Telegram, masquerading as a former contractor’s job opportunity. This delivered INLETDRIFT malware, establishing a persistent macOS backdoor on compromised devices. During a subsequent routine multi-signature emissions adjustment, the malware manipulated the display within the Safe{Wallet} (Gnosis Safe) front-end and Tenderly simulations, presenting legitimate transaction data while simultaneously sending malicious transferOwnership transactions to hardware wallets for signing. This allowed the attackers, identified as the North Korean threat actor UNC4736, to secure the necessary three-of-eleven multi-signature approvals, seize control of the Pool Provider contract, and deploy malicious versions to drain funds from the protocol’s core markets on Arbitrum and BNB Chain.

A radiant blue digital core, enclosed within a clear sphere and embraced by a white ring, is positioned on a detailed, glowing circuit board. This imagery encapsulates the foundational elements of blockchain and the creation of digital assets

Parameters

  • Protocol Targeted ∞ Radiant Capital
  • Date of Exploit ∞ October 16, 2024
  • Attack Vector ∞ Malware-driven device compromise and transaction spoofing
  • Financial Impact ∞ $50 Million USD
  • Affected Blockchains ∞ Arbitrum, BNB Chain
  • Threat Actor ∞ UNC4736 (North Korea-aligned)
  • Initial Compromise ∞ Social engineering via malicious zipped PDF

The image presents a complex, abstract technological structure centered around a radiant blue, spiky core, encircled by white, block-like modules and dark, interconnected pathways illuminated with blue light. This visual metaphor illustrates the intricate mechanics of a high-performance decentralized ledger technology DLT system

Outlook

Immediate mitigation for users involved revoking all approvals on Arbitrum, BSC, Ethereum, and Base. This incident underscores the critical need for enhanced security practices beyond smart contract audits, emphasizing device-level integrity and robust transaction verification mechanisms, especially when interacting with multi-signature wallets. Protocols must consider implementing stricter controls for developer environments, integrating advanced endpoint detection, and educating teams on sophisticated social engineering tactics. This event will likely accelerate the adoption of trustless transaction signing solutions and hardware-isolated signing environments to prevent similar device-level compromises from undermining on-chain security.

The Radiant Capital exploit serves as a stark reminder that even robust multi-signature schemes are vulnerable when the integrity of the signing environment is compromised by advanced malware, shifting the attack surface from smart contract logic to human and device security.

Signal Acquired from ∞ Medium.com

Micro Crypto News Feeds

malware injection

Definition ∞ Malware Injection involves the unauthorized insertion of malicious code into a legitimate software program or system.

multi-signature schemes

Definition ∞ Multi-signature schemes are cryptographic systems that require two or more private keys to authorize a transaction or access a digital asset.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

transaction spoofing

Definition ∞ Transaction Spoofing is a deceptive trading practice where an entity places a large order with the intent of canceling it before execution, aiming to manipulate market prices.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

on-chain security

Definition ∞ On-chain security refers to the measures and protocols implemented directly within a blockchain's architecture to protect the integrity, confidentiality, and availability of its data and transactions.

Tags:

Tags: