The complexity and precision of this attack were beyond what most people could imagine.North Korean hackers have clearly entered the next level of cybercrime.Kim Jong-un woke up and choose violence.————On October 16, Radiant Capital—a decentralized cross-chain lending protocol built on LayerZero—was hacked.Funds authorized to project contracts were entirely drained, resulting in losses of approximately $50 million. The incident sent shockwaves across the community.Notable developer @bantg commented on the attack, saying:“this level of attack is really scary. to my knowledge, the compromised signers have followed the best practices. they also used different combinations of os, software and hardware wallets, as well as simulated every transaction.”Radiant Capital recently published a detailed post-mortem in collaboration with Mandiant and other security firms (https://medium[.]com/@RadiantCapital/radiant-capital-incident-update-e56d8c23829e). The report strongly links the attack to North Korean actors.>> Step-by-Step Breakdown of the Attack <<> Step 1: ImpersonationOn September 11, 2024, a Radiant Capital developer received a Telegram message from someone impersonating a contractor—an external freelancer who had previously worked with the company.The message seemed natural:“I’ve started working on smart contract auditing and would love your feedback on my project report.”The "former contractor" even provided a zip file containing the so-called report, claiming it had detailed insights and requesting comments.This type of request is quite common in the crypto space, where remote collaboration and sharing PDF files are routine. To make matters worse, the hackers used a domain name that closely resembled the real contractor’s personal website, adding credibility to their ruse.All of this led the developer to believe the message was legitimate, failing to recognize it as a sophisticated phishing attack.> Step 2: Malware DeploymentWhen the developer downloaded and extracted the zip file, the contents appeared to be a normal PDF document.Opening the file displayed a well-crafted, legitimate-looking PDF with “professional and detailed” content.But this was merely a decoy. The file was actually an executable .app file disguised as a PDF, containing malware named INLETDRIFT.Once executed, INLETDRIFT installed a backdoor on the developer’s macOS device and began communicating with the hackers’ server at atokyonews[.]com.Had the developer identified the issue and acted immediately—by running antivirus scans or revoking key permissions—the damage might have been mitigated.Unfortunately, the developer unknowingly shared the file with other team members for feedback, spreading the malware further and giving the hackers broader access for subsequent infiltration.> Step 3: Precision AttackAfter the malware was successfully deployed, the hackers executed a man-in-the-middle (MITM) attack, leveraging their control over infected devices to intercept and manipulate transaction requests.When Radiant Capital’s team used Gnosis Safe (@safe) multisig wallets, the hackers intercepted transaction data displayed on the front-end interface.On the developers’ screens, the transaction appeared to be a legitimate multisig operation. But when the requests reached the Ledger hardware wallets for signing, the malware replaced them with malicious instructions.Since Ledger wallets do not parse Gnosis Safe transactions, the developers blindly signed the requests without noticing they were actually executing a transferOwnership() call. This handed control of Radiant’s lending pool contracts to the attackers.With ownership secured, the hackers exploited the contracts to drain funds authorized by users to the lending pools.This middleman replacement attack was executed with pinpoint accuracy. Despite Radiant Capital’s reliance on hardware wallets, transaction simulation tools like Tenderly, and adherence to industry-standard operational procedures, the team failed to detect anything suspicious.Once malware compromises a device, the system is effectively under the hacker’s full control, rendering even the best practices ineffective.> Step 4: Clean ExitWithin just 3 minutes of completing the theft, the hackers wiped all traces of their activity. They removed backdoors, browser extensions, and other artifacts from compromised systems to minimize exposure and reduce the likelihood of being tracked.>> Lessons Learned <<This attack sends a stark warning to the entire DeFi industry. Even a project following best practices with hardware wallets, front-end transaction verification, and simulation tools wasn’t spared. The incident highlights several key issues:(1) Avoid Downloading Files: Use Online Documents InsteadStop downloading files, especially from unverified sources. This includes zip files, PDFs, and executables.Instead, teams should adopt online document collaboration tools like Google Docs or Notion to view and edit content directly in the browser. This significantly reduces the risk of malware infiltration.For example, OneKey’s hiring form (https://gr4yl99ujhl.typeform[.]com/to/XhZ4wVcn?utm_source=official) explicitly requires submissions as Google Docs links (starting with docs[.]google[.]com). We never open other file types, including resumes or portfolio files.Radiant Capital’s team clearly underestimated the risk of phishing via malware. Members with sensitive permissions must enhance device security, install antivirus software, and enforce stricter file-sharing policies to mitigate these risks.(2) Front-End Security Is CriticalMost transaction verifications rely heavily on front-end interfaces, but hackers can easily spoof these to present fake transaction data. Supply chain attacks targeting dependencies, such as the infamous Solana web3.js library incident(https://t.co/QGnjawQOKw), are another growing threat.(3) The Risks of Blind SigningMany hardware wallets only display basic transaction summaries, making it impossible for users to verify transaction integrity.OneKey has made significant progress in addressing blind signing for Permit transactions, and support for Gnosis Safe multisig transactions is also under development.(4) Strengthen DeFi Asset GovernanceDeFi projects should implement Timelocks and robust governance frameworks for critical operations.By introducing T+1 or similar delays, large fund transfers would require a waiting period, providing enough time for security teams and white-hat hackers to detect anomalies, trigger alerts, and take action. Users could also revoke approvals during this window to protect their assets.Compared to waking up to discover funds have vanished, Timelocks provide much-needed reaction time, significantly improving security.It’s worth noting that Radiant’s contracts lacked a revoke mechanism for ownership transfers. The attackers exploited this to upgrade the contracts and execute the theft. This highlights the need for better contract design to prevent such vulnerabilities.————Like and share this post to raise awareness and contribute to blockchain security :)