Radiant V2

Radiant Capital Hack — October 16, 2024

What Happened

On October 16, 2024, Radiant Capital — a cross-chain lending protocol on Arbitrum and BNB Chain — suffered a $53M exploit that drained user deposits. This was Radiant's *second* major incident in 2024 (after a smaller January exploit).

Root Cause: Multisig + Ledger UI Spoofing via macOS Malware

This is the canonical "front-end-spoofs-multisig" attack pattern:

1. September 11, 2024: A Radiant developer received a Telegram message from someone impersonating a known external contractor, sending a "smart contract audit report" PDF.

2. The PDF carried INLETDRIFT macOS malware — established a persistent backdoor while displaying a legitimate-looking PDF.

3. When Radiant's team used Gnosis Safe multisig to sign routine transactions:

• The malware intercepted the transaction data shown on the front-end

• Replaced the actual instruction sent to the Ledger hardware wallet with a malicious one

• Because Ledger devices do not parse Gnosis Safe transactions, the hardware wallet displayed only opaque hex blobs

• Developers, expecting routine ops, blind-signed

4. The malicious instruction was a transferOwnership() call — handed control of Radiant's contracts to the attacker

5. Attacker drained Arbitrum + BNB Chain pools

DPRK Attribution

• Mandiant (Google) attributed the attack to UNC4736 — a North Korean threat actor aligned with the Reconnaissance General Bureau (RGB)

• Same group implicated in Drift Trade $285M Apr 2026, Munchables $62M Mar 2024, and others

Aftermath

• Attacker doubled the $53M stash to ~$103M via ETH trading by 2025

• Radiant launched a recovery bounty program (no significant returns)

• Lending markets paused; Radiant V2 effectively defunct

• One of the most studied incidents for hardware wallet UX failure ("blind signing")

Lessons Industry-Wide

• Hardware wallets cannot help if you blind-sign opaque calldata

• Air-gapped signing devices need to parse and display human-readable Gnosis Safe transaction details

• Treasury management requires out-of-band verification (e.g., reading transaction details on a second device)

• Web3 hiring + contractor verification is a critical attack surface

References

• https://www.halborn.com/blog/post/explained-the-radiant-capital-hack-october-2024

• https://medium.com/@RadiantCapital/radiant-capital-recovery-bounty-program-b4d116c691d0

• https://onekey.so/blog/ecosystem/one-pdf-50m-gone-the-radiant-capital-hack-explained/

• https://rekt.news/radiant-capital-rekt2

• https://www.coindesk.com/tech/2024/12/09/radiant-capital-says-north-korean-hackers-behind-50-million-attack-in-october

• https://www.auditone.io/blog-posts/unpacking-multisig-hacks-in-defi-radiant-capitals-case

• https://www.securityweek.com/radiant-capital-50-million-heist-blamed-on-north-korean-hackers/