Security

Radiant Capital Developers Compromised, $50 Million Drained via Malware

A sophisticated malware injection targeting core developers bypassed multi-signature security, enabling unauthorized transfer of protocol ownership and asset exfiltration.
September 29, 20253 min

A detailed perspective showcases precision-engineered metallic components intricately connected by a translucent, deep blue structural element, creating a visually striking and functional assembly. The brushed metal surfaces exhibit fine texture, contrasting with the smooth, glossy finish of the blue part, which appears to securely cradle or interlock with the silver elements
Intricate blue circuit boards and metallic conduits form a detailed abstract representation of digital infrastructure. These elements visually convey the complex interconnections and data flow inherent in blockchain networks

Briefing

On October 16, 2024, the Radiant Capital protocol suffered a sophisticated cyberattack resulting in the loss of approximately $50 million USD from its core lending markets on Arbitrum and BNB Chain. The incident stemmed from a malware injection on the devices of at least three core developers, which enabled the manipulation of transaction data during a routine multi-signature emissions adjustment. This allowed attackers to obtain fraudulent signatures for a transferOwnership action, bypassing both front-end verification and simulation tools, ultimately leading to the unauthorized draining of assets.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Context

Prior to this incident, the DeFi landscape has seen a persistent rise in sophisticated social engineering and supply chain attacks targeting key personnel, often bypassing robust smart contract audits. While multi-signature schemes are designed to enhance security by requiring multiple approvals, the prevailing risk factor lies in the human element and the integrity of the signing environment. This exploit leveraged advanced device-level compromise, highlighting a critical vulnerability class where off-chain attack vectors directly undermine on-chain security controls.

A translucent blue, fluid-like structure dynamically interacts with a beige bone fragment, showcasing integrated black and white mechanical components. The intricate composition highlights advanced technological integration within a complex system

Analysis

The attack began with a social engineering tactic on September 11, 2024, where a Radiant developer received a malicious zipped PDF via Telegram, masquerading as a former contractor’s job opportunity. This delivered INLETDRIFT malware, establishing a persistent macOS backdoor on compromised devices. During a subsequent routine multi-signature emissions adjustment, the malware manipulated the display within the Safe{Wallet} (Gnosis Safe) front-end and Tenderly simulations, presenting legitimate transaction data while simultaneously sending malicious transferOwnership transactions to hardware wallets for signing. This allowed the attackers, identified as the North Korean threat actor UNC4736, to secure the necessary three-of-eleven multi-signature approvals, seize control of the Pool Provider contract, and deploy malicious versions to drain funds from the protocol’s core markets on Arbitrum and BNB Chain.

The image displays two white, multi-faceted cylindrical components connected by a transparent, intricate central mechanism. This interface glows with a vibrant blue light, revealing a complex internal structure of channels and circuits

Parameters

  • Protocol Targeted → Radiant Capital
  • Date of Exploit → October 16, 2024
  • Attack Vector → Malware-driven device compromise and transaction spoofing
  • Financial Impact → $50 Million USD
  • Affected Blockchains → Arbitrum, BNB Chain
  • Threat Actor → UNC4736 (North Korea-aligned)
  • Initial Compromise → Social engineering via malicious zipped PDF

A close-up view reveals a high-tech device featuring a silver-grey metallic casing with prominent dark blue internal components and accents. A central, faceted blue translucent element glows brightly, suggesting active processing or energy flow within the intricate machinery

Outlook

Immediate mitigation for users involved revoking all approvals on Arbitrum, BSC, Ethereum, and Base. This incident underscores the critical need for enhanced security practices beyond smart contract audits, emphasizing device-level integrity and robust transaction verification mechanisms, especially when interacting with multi-signature wallets. Protocols must consider implementing stricter controls for developer environments, integrating advanced endpoint detection, and educating teams on sophisticated social engineering tactics. This event will likely accelerate the adoption of trustless transaction signing solutions and hardware-isolated signing environments to prevent similar device-level compromises from undermining on-chain security.

The Radiant Capital exploit serves as a stark reminder that even robust multi-signature schemes are vulnerable when the integrity of the signing environment is compromised by advanced malware, shifting the attack surface from smart contract logic to human and device security.

Signal Acquired from → Medium.com

Micro Crypto News Feeds

malware injection

Definition ∞ Malware Injection involves the unauthorized insertion of malicious code into a legitimate software program or system.

multi-signature schemes

Definition ∞ Multi-signature schemes are cryptographic systems that require two or more private keys to authorize a transaction or access a digital asset.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

transaction spoofing

Definition ∞ Transaction Spoofing is a deceptive trading practice where an entity places a large order with the intent of canceling it before execution, aiming to manipulate market prices.

bnb chain

BNB Chain ∞ is a decentralized blockchain network that supports smart contracts and decentralized applications.

threat actor

Definition ∞ A threat actor is an individual or group that poses a risk to information systems and data security.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

on-chain security

Definition ∞ On-chain security refers to the measures and protocols implemented directly within a blockchain's architecture to protect the integrity, confidentiality, and availability of its data and transactions.

Tags:

Tags: