Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 211Frontend Hijack

Radiant Capital Multi-Sig Hijack

$53M drained from a 3-of-11 Radiant multi-sig after macOS malware hit three signers; the Safe UI showed clean txs while hardware wallets signed upgrades.

Date
Victim
Radiant Capital
Chain(s)
ArbitrumBNB Chain
Status
Funds Stolen
Attribution
UNC4736 / Citrine Sleet / Lazarus Group (DPRK)

On October 16, 2024, the cross-chain lending protocol Radiant Capital lost approximately $53 million to its second major attack of the year. The bug was not in Radiant's contracts — it was in what its signers saw on their screens while signing.

What happened

The story starts on September 11, 2024, when a Radiant developer received a Telegram message from someone impersonating a trusted former contractor. The message asked for feedback on a smart-contract audit and included a ZIP file with a decoy PDF — and a macOS malware payload, InletDrift, that established a persistent backdoor.

Over the following weeks the malware was deployed onto at least three signers' machines.

Radiant required 3 of 11 signatures to authorise privileged actions on its Safe multi-sig. When the attackers were ready, they triggered a routine-looking transaction on the Gnosis Safe interface. To the signers' eyes, the UI displayed the benign transaction they expected. The traffic actually reaching their hardware wallets, intercepted and rewritten by the malware, was a malicious upgrade transferring control of the lending markets.

Three signatures collected. The upgrade executed. $53M drained across Arbitrum and BNB Chain.

Aftermath

  • Mandiant and others attributed the operation to UNC4736 / Citrine Sleet — also tracked as AppleJeus — a Lazarus sub-cluster known for the long-running InletDrift campaign.
  • The Radiant attacker has held a substantial portion of the stolen ETH and reportedly grew the position to over $100M in paper value through subsequent ETH trading.
  • Radiant relaunched markets after months of audits and contract redeployments. Recoveries to affected users came primarily through governance-controlled token reissuance.

Why it matters

Radiant was the textbook case for what later happened at scale at WazirX and Bybit: the trust boundary of a hardware wallet ends at the screen you read the transaction from. Independent transaction-simulation displays and out-of-band calldata verification have since become standard practice for any multi-sig managing meaningful TVL.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-radiant-capital-hack-october-2024
  2. [02]onekey.sohttps://onekey.so/blog/ecosystem/one-pdf-50m-gone-the-radiant-capital-hack-explained/
  3. [03]medium.comhttps://medium.com/@marcellusv2/anatomy-of-a-53-million-hack-how-radiant-capitals-multisig-failed-121fca23a996

Related filings