A malware-laden PDF sent to engineers at crypto exchange Radiant Capital allowed North Korean hackers to steal more than $50 million, according to cybersecurity firm Mandiant.
In a recent monitoring report About the incident, Radiant Capital said it hired Mandiant and several other security companies to look into what happened.
They attributed the attack to a North Korean group known as AppleJeus or Citrine Sleet, housed within North Korea’s Reconnaissance General Bureau (RGB).
The heist began with a PDF sent via Telegram on September 11. The threat actor posed as a former contractor at the company, asking managers to read a report about another recent cybersecurity incident affecting another cryptocurrency company.
Radiant Capital developers received a link to a ZIP file containing a PDF containing sophisticated malware called INLETDRIFT, a backdoor used to infect macOS devices.
“This deception was carried out so seamlessly that even with Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payloads, and following industry standard SOPs (operating procedures) At each stage, the attackers were able to compromise multiple developer devices,” the company said.
“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious anomalies, making the threat virtually invisible during normal review stages.
After the attack, the hackers erased traces of their activity, illustrating their technical sophistication. Radiant Capital said it was working with U.S. law enforcement to freeze the stolen assets.
“As the DeFi industry grows, it must evolve beyond superficial controls and toward robust device-level transparency to protect against increasingly sophisticated attacks,” the company added.
U.S. officials, Microsoft and Google have long warned of attacks launched by Citrine Sleet and, over the years, have referred to both the group and the malware they use as AppleJeus.
The Department of Justice and the FBI said that as of 2021, North Korea has been using websites that appeared to host legitimate cryptocurrency exchanges to infect victims with AppleJeus malware since at least 2018.
Google’s threat analysis group released a report in 2022 on Operation AppleJeus, which involved using the same exploit kit to target more than 85 users in the cryptocurrency and fintech industries .
In August, Microsoft said it saw Citrine Sleet actors targeting the cryptocurrency industry with a zero-day affecting the Chromium browser.
The North Korean government has made hacking cryptocurrency platforms a key pillar of its revenue strategy, earning $3 billion from attacks between 2017 and 2023, according to United Nations investigators.
Future saved
Intelligence cloud.
