The North Korean hacking group AppleJeus or Citrine Sleet has been identified as the culprit behind a $50 million crypto heist targeting Radiant Capital. On September 11, a malware-laced PDF was sent to Radiant Capital engineers via Telegram. The attacker posed as a former contractor and requested officials review a report about an issue affecting a different cryptocurrency company.
The developers received a link to a ZIP file containing a sophisticated piece of malware called INLETDRIFT, a backdoor designed to infect macOS devices. Radiant Capital employed Mandiant and other security firms to investigate the incident. They attributed the attack to the North Korean group that operates within North Korea’s Reconnaissance General Bureau (RGB).
The attackers compromised multiple developer devices despite Radiant’s standard best practices, such as simulating transactions in Tenderly, verifying payload data, and following industry-standard operating procedures at every step. The malicious transactions were signed in the background, making the threat virtually invisible during normal review stages.
North Korean hackers target Radiant Capital
After the attack, the hackers removed traces of their activity, demonstrating their technical proficiency. Radiant Capital is now collaborating with U.S. law enforcement to freeze the stolen assets. The company emphasized the need for the DeFi industry to upgrade from superficial checks to robust, device-level transparency to defend against increasingly sophisticated attacks.
U.S. officials and cybersecurity experts from Microsoft and Google have consistently warned about attacks orchestrated by Citrine Sleet. The DPRK group has been using the AppleJeus malware to infiltrate cryptocurrency platforms since at least 2018. In 2022, Google’s Threat Analysis Group reported that a similar exploit kit targeted over 85 users in the cryptocurrency and fintech sectors.
Microsoft also reported that Citrine Sleet actors were exploiting a zero-day vulnerability in the Chromium browser to target the cryptocurrency industry in August. North Korea has reportedly made hacking cryptocurrency platforms a crucial component of its revenue strategy, amassing $3 billion from such attacks between 2017 and 2023.