Radiant Capital — cross-chain lending exploit

What happened

On 16 October 2024 approximately $50 million was drained from Radiant Capital, a cross-chain lending protocol operating on Arbitrum and BNB Smart Chain. The attacker executed a smart-contract upgrade that replaced the legitimate pool ownership contracts with attacker-controlled contracts, then withdrew all available liquidity. Radiant Capital paused its lending markets immediately and engaged Mandiant (Google Cloud) and the blockchain security firm Zerokn0wledge to conduct a forensic investigation.

Mandiant’s investigation attributed the operation to UNC4736, a threat actor cluster linked by Google’s threat intelligence team to DPRK’s Lazarus Group and overlapping with the TraderTraitor designation used by the FBI and CISA. Mandiant described UNC4736 as specialising in social engineering attacks against cryptocurrency protocol engineers, with a focus on fake-job offers and impersonation of professional contacts as initial access vectors.

The $50 million loss was not the first time Radiant Capital had suffered a significant security incident: an earlier flash-loan exploit in January 2024 had drained approximately $4.5 million. The October incident was categorically different in its approach — a months-long targeted compromise of human operators rather than an on-chain technical exploit.

How it worked

The attack began in September 2024 — approximately six weeks before the on-chain drain — when an attacker sent a Telegram message to a Radiant Capital engineer. The message appeared to come from a former contractor known to the engineer. It contained a ZIP file described as a PDF report in the sender’s area of expertise and asked for the engineer’s professional feedback. The engineer opened the ZIP, executed the contents, and installed macOS-targeting malware attributed by Mandiant to UNC4736’s toolkit.

The malware captured keystrokes, screenshots, and — critically — the context of hardware-wallet signing prompts on the infected machine. The engineer used a hardware wallet as part of their role as a multi-signature co-signer for Radiant’s smart-contract governance operations. By observing the hardware wallet prompts and the surrounding signing workflow on the compromised machine, the attacker was able to understand which transactions the engineer was approving and when.

Two additional Radiant engineers were compromised via the same Telegram-message-plus-malware vector over the following weeks. Once three of the eleven multi-signature co-signers’ devices were infected, the attacker had the contextual information needed to construct a transaction that would achieve three legitimate signatures. The transaction was constructed to upgrade Radiant’s pool ownership contracts — replacing the legitimate implementation with an attacker-controlled version — while being disguised at the hardware-wallet display level as a routine governance operation.

The co-signers signed what their interfaces showed them. Their hardware wallets displayed prompts consistent with a normal governance operation. The actual transaction data, which the hardware wallet displayed only as raw calldata, contained the instructions to transfer contract ownership. With three of eleven signatures obtained through this deception, and the attacker controlling the submitted transaction, the contract upgrade executed and the drain followed within the same block.

Mandiant connected UNC4736 to a broader pattern of DPRK crypto-engineer targeting that includes the DMM Bitcoin operation (same fake-job vector targeting a Ginco contractor), the Bybit theft (2025, $1.5 billion), and multiple smaller DeFi protocol compromises. The group’s operational discipline — spending weeks building rapport with targets before delivering malware, using legitimate contact impersonation rather than unsolicited approaches, targeting macOS specifically to reach engineers whose security tooling is often weaker on Apple hardware — distinguishes it from lower-sophistication crypto thieves.

Timeline

• September 2024 — First Radiant engineer receives Telegram message purportedly from a former contractor. Malware installed via ZIP file. Two further engineers compromised over subsequent weeks by the same method.
• 16 October 2024 — Attacker uses three compromised co-signers’ approval context to obtain three legitimate signatures on a malicious contract upgrade transaction. Pool ownership contracts replaced. $50M drained from Arbitrum and BNB Smart Chain lending pools.
• 16 October 2024 — Radiant Capital pauses all lending markets. Mandiant and Zerokn0wledge engaged.
• October–November 2024 — Mandiant forensic investigation concludes; UNC4736 / DPRK attribution established.
• Late 2024 — Radiant Capital publishes post-mortem. Mandiant publishes attribution report linking UNC4736 to multiple DPRK crypto operations.

What defenders should learn

The Radiant Capital attack is the most detailed documented example of a “threshold social engineering” operation against a multi-signature scheme. The architecture required eleven co-signers with a three-of-eleven threshold, deliberately distributed to prevent a single-point compromise. The attacker did not break the cryptography. They compromised the humans who operated the cryptography — separately, over weeks — and deceived them into signing a malicious transaction. Multi-signature arrangements provide strong protection against key theft; they do not provide protection against deceiving legitimate key-holders.

The hardware-wallet display problem is central here and deserves sustained industry attention. Hardware wallets are correctly recommended as the gold standard for signing sensitive transactions because they keep private key material offline. But when the transaction being signed is a complex smart-contract call — as all DeFi governance transactions are — the hardware wallet’s display typically shows raw calldata that is not human-readable. A co-signer reviewing such a display has no reliable mechanism to verify that the operation they are approving is what their interface told them it was. The gap between “the interface says this is a routine governance operation” and “the calldata actually instructs a contract ownership transfer” is where this attack lived. Closing it requires either hardware wallets capable of decoding and displaying DeFi transaction semantics in plain language, or a governance process that requires independent off-device verification of calldata content before any co-signer signs.

The Telegram-based initial access vector — impersonating a trusted contact, asking for professional feedback on a document — is specifically designed to defeat generic phishing awareness training. It does not look like a phishing email; it looks like a message from someone the target knows, on a platform the target uses professionally, about a topic relevant to the target’s expertise. Defending against it requires specific training on this pattern and a policy that any unsolicited file from any contact, however trusted, is treated as potentially hostile and handled in an isolated environment. The Radiant and DMM Bitcoin cases, taken together, establish that this is a standard DPRK TTY for crypto-engineer targeting and should be treated accordingly.

The cumulative Lazarus / UNC4736 / TraderTraitor record — Ronin ($625M), Harmony ($100M), Atomic Wallet ($100M), Stake.com ($41M), DMM Bitcoin ($305M), Radiant Capital ($50M), Bybit ($1.5B) — establishes that DPRK operators have both the capability and the institutional commitment to invest weeks or months of preparation against a single target when the prize is multi-signature wallet control. Any DeFi protocol or crypto platform whose governance or custody relies on a threshold of individually-contactable human signers should treat this as a top-tier threat and build its operational security posture accordingly.