Back

Radiant Capital Winds Down After $50M DPRK-Linked Hack

Severity: High (Score: 72.5)

Sources: Theblock.Co, defillama.com, Thedefiant, medium.com

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: radiant, capital, million, unable, recover, roughly, hack

Summary

Radiant Capital, a cross-chain lending protocol, is winding down operations after failing to recover from a $50 million hack attributed to a North Korean state-sponsored group. The attack, which occurred in October 2024, compromised the protocol's Pool Provider contract via a backdoor delivered through a malicious macOS application. Despite efforts to support users and pursue recovery, Radiant Capital has not raised new capital and currently holds only $2.21 million in total value locked. The RDNT token has been delisted from major exchanges, and the DAO announced it no longer has a viable path forward. Users can still access the platform to withdraw and manage their positions, but the future of the protocol remains uncertain. Recovery efforts will continue, but no meaningful funds have been retrieved since the exploit. Key Points: • Radiant Capital lost $50 million in a hack linked to North Korean state-sponsored actors. • The protocol is winding down due to inability to recover funds or raise new capital. • Users can still manage their positions, but the future of the platform is uncertain.

Detailed Analysis

**Impact** Radiant Capital lost approximately $50 million in a DPRK-linked hack in October 2024, followed by a $4.5 million flash loan attack earlier that year. The protocol’s total value locked (TVL) has declined to $2.21 million across Arbitrum, Ethereum, Base, and BNB Chain as of June 2026. Major centralized exchanges including Binance, OKX, and Crypto.com have delisted the RDNT token, severely limiting liquidity and user access. The DAO has been unable to fully reimburse depositors, leading to a loss of user trust and operational viability, primarily affecting DeFi users engaged in cross-chain lending. **Technical Details** The attacker compromised Radiant’s Pool Provider contract by exploiting hardware-wallet signers using INLETDRIFT, a macOS backdoor delivered via a Telegram message impersonating a former contractor. The payload bypassed Tenderly simulation, Gnosis Safe UI verification, and hardware-wallet checks by displaying legitimate transaction data while executing malicious signatures in the background. The attacker exploited a 3-of-11 multisig configuration, requiring control of only three devices. The threat actor UNC4736 (AppleJeus/Citrine Sleet) is attributed with high confidence to DPRK’s Reconnaissance General Bureau, linked to the Lazarus Group. **Recommended Response** Defenders should harden multisig configurations by increasing signer thresholds and monitoring for anomalous multisig activity. Deploy detection rules for INLETDRIFT backdoor indicators and monitor Telegram-based phishing attempts targeting developer or contractor communications. Exchanges and custodians should block transactions involving compromised RDNT tokens and maintain user withdrawal support with conversion to stablecoins. Continuous monitoring of cross-chain lending protocols for similar backdoor tactics is advised. No CVEs or specific patches were mentioned in the available information.

Source articles (4)

  • Radiant Capital Winds Down to a $2M Husk, 20 Months After DPRK-Linked $50M Heist — Thedefiant · 2026-06-01
    Radiant Capital, the cross-chain lending protocol that lost $50 million in an October 2024 attack later attributed by Mandiant to a North Korean state hacking group, has bled out to an operational hus…
  • Unable to recover from roughly $50 million hack, Radiant Capital is winding down — Theblock.Co · 2026-06-01
    After spending 18 months trying to get back on track, Radiant Capital said Monday it is calling it quits, unable to recover from a roughly $50 million hack. Radiant Capital said it hasn't been able to…
  • $2.21 million in total value locked — defillama.com · 2026-06-01
    Incentives: Tokens allocated to users through liquidity mining or incentive schemes, typically as part of governance or reward mechanisms. Earnings: Revenue of the protocol minus the incentives distri…
  • February 2026 roadmap post — medium.com · 2026-06-01

Timeline

  • 2024-01-05 — Flash loan attack drains $4.5 million: A flash loan attack drained approximately 1900 ETH from the Radiant protocol earlier in 2024.
  • 2024-10-16 — Radiant Capital suffers $50 million hack: The attack compromised the Pool Provider contract via a backdoor delivered through a malicious macOS application.
  • 2026-06-01 — Radiant Capital announces wind down: Radiant Capital states it cannot recover from the hack and will cease operations, transitioning to a maintenance state.

Related entities

  • AppleJeus (Malware)
  • Inletdrift (Malware)
  • Citrine Sleet (Apt Group)
  • Lazarus Group (Apt Group)
  • Unc4736 (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Radiant Capital (Company)
  • Arbitrum (Company)
  • Base (Company)
  • Ethereum (Company)
  • North Korea (Country)
  • crypto.com (Domain)
  • BNB Chain (Platform)
  • BSC (Platform)
  • MacOS (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed