Back

Radiant Capital Winding Down After $50M Hack Linked to North Korean Group

Severity: High (Score: 73.2)

Sources: Theblock.Co, Mexc, defillama.com, medium.com, Thedefiant

Published: 2026-06-01 · Updated: 2026-06-02

Keywords: radiant, capital, million, unable, recover, roughly, hack

Summary

Radiant Capital, a decentralized lending protocol, is winding down operations after failing to recover from a $50 million hack attributed to a North Korean state-sponsored group, the Lazarus Group. The exploit occurred in October 2024, leading to a drastic decline in total value locked (TVL) from approximately $386.8 million to just $2.21 million by June 2026. Despite efforts to recover funds and maintain operations, the DAO announced it could not secure fresh funding or user growth. The protocol will enter a maintenance phase, allowing users to withdraw assets while halting further development. The RDNT token has plummeted from a peak of $0.58 in September 2022 to around $0.0015. The attack utilized a backdoor contract to compromise the system, marking it as a significant incident in the DeFi space. Key Points: • Radiant Capital lost $50 million in an October 2024 hack linked to North Korean hackers. • The protocol's total value locked has dropped to $2.21 million from a peak of $386.8 million. • Radiant Capital will enter a maintenance phase, allowing withdrawals but halting development.

Detailed Analysis

**Impact** Radiant Capital lost approximately $50 million in an October 2024 exploit attributed to a North Korean state-backed group linked to the Lazarus Group. The protocol’s total value locked (TVL) dropped from $386.8 million in December 2023 to $2.21 million as of June 2026, affecting users across Arbitrum, Ethereum, Base, and BNB Chain. The DAO failed to secure new funding or fully reimburse depositors, leading to the winding down of operations and delisting of the RDNT token from major exchanges like Binance, OKX, and Crypto.com. The incident impacted the DeFi lending sector and cross-chain liquidity markets globally. **Technical Details** The attacker exploited Radiant’s Pool Provider contract by compromising hardware-wallet signers through INLETDRIFT, a macOS backdoor delivered via a Telegram message impersonating a former contractor. The payload bypassed Tenderly simulation, Gnosis Safe UI verification, and hardware-wallet checks by displaying legitimate transaction data while executing malicious signatures. The attacker needed to compromise only three of eleven multisig signers. The initial breach followed a January 2024 flash loan attack that drained $4.5 million. The attack targeted Arbitrum and BNB Chain deployments, with Ethereum and Base instances reportedly secure. **Recommended Response** Defenders should enforce stricter multisig signer security, including enhanced hardware wallet protections and out-of-band verification for multisig transactions. Monitoring for backdoor malware like INLETDRIFT and suspicious Telegram communications targeting developers is advised. Protocols should implement comprehensive transaction simulation and signature verification improvements. Continuous monitoring of cross-chain lending platforms for unusual contract interactions and rapid withdrawal patterns is recommended. No specific CVEs were identified in the reports.

Source articles (5)

  • Radiant Capital Winds Down to a $2M Husk, 20 Months After DPRK-Linked $50M Heist — Thedefiant · 2026-06-01
    Radiant Capital, the cross-chain lending protocol that lost $50 million in an October 2024 attack later attributed by Mandiant to a North Korean state hacking group, has bled out to an operational hus…
  • Unable to recover from roughly $50 million hack, Radiant Capital is winding down — Theblock.Co · 2026-06-01
    After spending 18 months trying to get back on track, Radiant Capital said Monday it is calling it quits, unable to recover from a roughly $50 million hack. Radiant Capital said it hasn't been able to…
  • $2.21 million in total value locked — defillama.com · 2026-06-01
    Incentives: Tokens allocated to users through liquidity mining or incentive schemes, typically as part of governance or reward mechanisms. Earnings: Revenue of the protocol minus the incentives distri…
  • Radiant Capital Halts Growth Plans Following $50M Security Breach — Mexc · 2026-06-02
    Radiant Capital has begun winding down operations after failing to recover from a major exploit that drained tens of millions of dollars. According to a statement published by Radiant’s decentralized…
  • February 2026 roadmap post — medium.com · 2026-06-01

Timeline

  • 2024-10-16 — Radiant Capital suffers $50M hack: A backdoor contract was deployed, leading to significant losses across Arbitrum and BNB Chain.
  • 2025-01-01 — TVL drops to $75 million: Following the hack, internal figures show a sharp decline in total value locked as users withdrew funds.
  • 2025-04-01 — Binance halts RDNT trading: Binance suspended trading and withdrawal support for the RDNT token, further impacting liquidity.
  • 2026-06-01 — Radiant Capital announces winding down: The DAO confirmed it could not recover funds or secure new capital, leading to operational closure.
  • 2026-06-01 — RDNT token trading at $0.0015: The token has seen a drastic decline, trading at a fraction of its previous value of $0.58.

Related entities

  • AppleJeus (Malware)
  • Inletdrift (Malware)
  • Citrine Sleet (Apt Group)
  • Lazarus Group (Apt Group)
  • Unc4736 (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Radiant Capital (Company)
  • Arbitrum (Company)
  • Base (Company)
  • Ethereum (Company)
  • North Korea (Country)
  • crypto.com (Domain)
  • BNB Chain (Platform)
  • BSC (Platform)
  • MacOS (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed