North Korean hackers behind $50 million crypto heist of Radiant Capital

A PDF laced with malware and sent to engineers at crypto platform Radiant Capital gave North Korean hackers the ability to steal more than $50 million, according to cybersecurity firm Mandiant.

In a recent follow-up report on the incident, Radiant Capital said it hired Mandiant and several other security firms to examine what happened. 

They attributed the attack to a North Korean group known as AppleJeus or Citrine Sleet, which is housed within North Korea’s Reconnaissance General Bureau (RGB). 

The heist began with a PDF sent through Telegram on September 11. The threat actor pretended to be a former contractor for the company, asking officials to read through a report on another recent cybersecurity incident affecting a different cryptocurrency company. 

The Radiant Capital developers were sent a link to a ZIP file with a PDF inside that contained a sophisticated piece of malware called INLETDRIFT, a backdoor used to infect macOS devices. 

“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs [operating procedures] at every step, the attackers were able to compromise multiple developer devices,” the company said. 

“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages.”

After the attack, the hackers removed traces of their activity, illustrating their technical sophistication. Radiant Capital said it is working with U.S. law enforcement to freeze the stolen assets.  

“As the DeFi industry grows, it must evolve beyond superficial checks and towards robust, device-level transparency to protect against increasingly sophisticated attacks,” the company added. 

U.S. officials, Microsoft and Google have long warned of attacks launched by Citrine Sleet, and over the years have referred to both the group and the malware they use under the name AppleJeus.

The Justice Department and FBI said in 2021 North Korea has used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware since at least 2018.

Google’s Threat Analysis Group published a report in 2022 on Operation AppleJeus, which involved the same exploit kit being used to target more than 85 users in the cryptocurrency and fintech industries.

In August, Microsoft said it saw Citrine Sleet actors targeting the cryptocurrency industry with a zero-day affecting the Chromium browser.

North Korea’s government has made hacking cryptocurrency platforms a key pillar of its revenue strategy, netting $3 billion from attacks between 2017 and 2023, according to United Nations investigators.