Decentralized finance platform Radiant Capital has attributed the October heist against its systems that resulted in the exfiltration of $50 million worth of cryptocurrency to North Korean advanced persistent threat operation Citrine Sleet, also known as AppleJeus and UNC4736, following a probe conducted alongside Mandiant, BleepingComputer reports.
Citrine Sleet's intrusion against Radiant Capital commenced in September with the spoofing of a former contractor on Telegram to lure a Radiant developer into downloading a ZIP file featuring a decoy PDF file and the InletDrift macOS malware, which facilitated backdoor injection, according to the investigation. Attackers then leveraged the multi-signature process to enable Arbitrum and Binance Smart Chain market asset theft while evading various security and verification methods. "This deception was carried out so seamlessly that even with Radiant's standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard SOPs at every step, the attackers were able to compromise multiple developer devices," said Radiant.
