A Call for Enhanced DeFi Security Measures

• Phishing and malware attacks by DPRK hackers exploited DeFi vulnerabilities.

• Despite best practices, attackers used smart contracts and hardware wallets to steal money.

• Phishing threats, blind signing flaws, and regulatory loopholes point to an urgent need for stronger protections.

On October 16, 2024, Radiant Capital suffered a loss of $50 million due to a cyberattack related to North Korean hackers, raising critical security concerns in DeFi.

Report linking North Korean actors to Radiant Capital Event

A report from OneKey, a maker of crypto hardware wallets backed by Coinbase, attributed the attack to North Korean hackers. The report expands on a recent media post shared by Radiant Capital, which provided an event update on the October 16 attack.

Mandiant, a leading cybersecurity firm, reportedly linked the breach to UNC4736, a DPRK-linked group also known as AppleJeus or Citrine Sleet. This agency operates under the General Intelligence Bureau (RGB), North Korea's main intelligence agency.

Mandiant's investigation revealed that the attackers had carefully planned their operation. They organized malicious smart contracts across several blockchain networks, including Arbitrum, Binance Smart Chain, Base, and Ethereum. These efforts demonstrate the advanced capabilities of DPRK-backed threat actors in targeting the DeFi sector.

The breach began with a calculated phishing attack on September 11, 2024. Developer Radiant Capital received a Telegram message from an individual referring to a trusted contractor. The message included a zip file purportedly containing a smart contract audit report. This file, “Penpie_Hacking_Analysis_Report.zip,” was encrypted by malware called INLETDRIFT, a macOS backdoor that allowed unauthorized access to Radiant systems.

When the developer opened the file, it appeared to be a valid PDF. However, the malware quietly installed itself, establishing a backdoor link to a malicious domain at atokyonews (.) com. This allowed the attackers to spread the malware further among Radiant team members, gaining deeper access to sensitive systems.

Hackers' strategy culminated in a man-in-the-middle (MITM) attack. Using compromised tools, they intercepted and processed transaction requests within Radiant's Gnosis Safe Multisig wallets. While the transactions appeared legitimate to developers, the malware covertly modified them to execute a transfer ownership call, taking control of Radiant's loan pool contracts.

Execution of the Heist, Business Impact, and Lessons Learned

Despite Radiant's adherence to best practices, such as the use of hardware wallets, transaction tokens, and authentication tools, the attackers' methods bypassed all defenses. Within minutes of gaining ownership, the hackers drained funds from Radiant's loan pools, leaving the platform and its users reeling.

The Radiant Capital hack is a serious warning to the DeFi industry. Even projects that adhere to strict security standards can fall prey to sophisticated threat actors. The incident revealed critical vulnerabilities, including:

• Phishing threats: The attack started with a positive scheme of people, underscoring the need for more vigilance against unwanted file sharing.
• Blind Signing: Although necessary, hardware wallets often only reveal basic transaction details, making it difficult for users to detect malicious changes. Better hardware-level solutions are needed to decode and verify transaction payloads.
• Front-end security: Reliance on front-end interfaces for transaction authentication was not adequate. A spoofed interface allowed hackers to inadvertently manipulate transaction data.
• Regulatory weaknesses: Lack of mechanisms to revoke property transfers left Radiant's contracts vulnerable. Implementing time locks or requiring a delay in the transfer of funds may provide critical response time in future incidents.

In response to the breach, Radiant Capital has engaged leading cybersecurity companies, including Mandiant, zeroShadow, and Hypernative. These companies assist in the investigation and recovery of assets. The Radiant DAO is also cooperating with US law enforcement to trace and freeze stolen funds.

In the Medium post, Radiant also reaffirmed its commitment to sharing lessons learned and enhancing security across the DeFi industry. The DAO emphasized the importance of adopting strong regulatory frameworks, strengthening device-level security, and moving away from risky practices such as blind signing.

“Looks like things could have stopped at step 1,” said one user on X.

The Radiant Capital event coincides with a recent report, which showed how North Korean hackers continue to shift tactics. As cybercriminals become more sophisticated, the industry must change by prioritizing transparency, robust security measures, and collaborative efforts to combat such attacks.

Decision

The Radiant Capital event underscores the dire need for improved security protocols in the DeFi space. Strong regulatory frameworkscomprehensive education about phishing threats, and enhanced transaction verification processes must be prioritized to protect against future threats. The evolving landscape of cybercrime demands vigilance and cooperation to protect digital assets.