The decentralized lending protocol Radiant Capital suffered one of the most sophisticated supply chain attacks in DeFi history this October, losing approximately $50 million across Arbitrum, Base, Binance Smart Chain, and Ethereum. The breach, attributed to North Korean threat actors, exposed critical vulnerabilities in how multi-chain protocols handle developer security and transaction verification.
The Exploit Mechanics
The attack began with a carefully orchestrated social engineering campaign targeting Radiant Capital’s core developers. Threat actors impersonated a former trusted contractor and delivered weaponized PDF documents that installed malware on the developers’ machines. This malware allowed the attackers to hijack legitimate developer sessions and inject malicious smart contract calls without triggering standard security alerts.
Once inside the development environment, the hackers staged malicious smart contracts across all four chains supported by Radiant Capital. These contracts were designed to appear as routine protocol upgrades. The malicious code was pre-deployed on Arbitrum, Base, BSC, and Ethereum, sitting dormant until October 16, when the attackers executed their payload simultaneously across all networks.
The attackers exploited a critical flaw in the multi-signature approval process. By compromising the devices of signers rather than attacking the smart contracts themselves, the threat actors were able to generate legitimate-looking transaction data that appeared benign during the signing process. The actual payload executed fund transfers to attacker-controlled wallets, draining liquidity pools across all four chains in a matter of minutes.
Affected Systems
Radiant Capital operates as a cross-chain lending and borrowing protocol built on LayerZero’s interoperability infrastructure. The attack affected users who had deposited assets into Radiant’s lending pools on Arbitrum, Base, BSC, and Ethereum. The stolen funds included a mix of ETH, USDC, USDT, and various wrapped tokens, totaling approximately $52 million at the time of the October 24 fund movement.
The attack vector was particularly insidious because it bypassed Radiant’s audited smart contracts entirely. The protocol’s code had undergone security reviews, but no audit could protect against compromised end-user devices. This distinction is crucial: the smart contracts worked exactly as designed, but the instructions fed into them came from unauthorized actors who had gained control of legitimate credentials.
The Mitigation Strategy
Following the attack, Radiant Capital’s response team implemented emergency measures to prevent further drainage. The protocol paused all markets across affected chains, froze remaining liquidity, and began working with blockchain analytics firms including Chainalysis and TRM Labs to trace the stolen funds. By late October, on-chain investigators had identified clear patterns linking the attack to known North Korean hacking groups, specifically the Lazarus Group infrastructure.
Radiant also engaged with major exchanges and bridge operators to flag the stolen addresses, attempting to cut off the attackers’ ability to convert the drained assets into fiat currency. The protocol announced a comprehensive security overhaul that includes hardware-based transaction signing, mandatory device verification for all multi-sig participants, and a shift toward air-gapped signing procedures for any protocol-critical operations.
Lessons Learned
The Radiant Capital hack demonstrates that the weakest link in DeFi security is often not the smart contract code but the human operators who interact with it. Several critical lessons emerge for the broader ecosystem.
First, multi-signature wallets provide no protection when the devices used to generate signatures are compromised. Protocols must adopt hardware security modules or air-gapped signing devices for all critical operations. Second, social engineering remains the most effective attack vector for sophisticated threat actors. The North Korean group’s ability to impersonate trusted contacts and deliver convincing malicious documents highlights the need for out-of-band verification of all sensitive communications.
Third, cross-chain protocols face amplified risk because a single compromised signer can trigger attacks across multiple networks simultaneously. The blast radius of a supply chain attack scales with the number of chains a protocol supports, making security investment even more critical for interoperable protocols.
User Action Required
Users who had funds deposited in Radiant Capital’s markets on Arbitrum, Base, BSC, or Ethereum should monitor the protocol’s official communications channels for recovery plans and potential reimbursement procedures. All DeFi users, regardless of whether they used Radiant, should review their own security practices: enable hardware wallet signing for all protocol interactions, verify transaction data before signing, and never open attachments from unverified sources, even if they appear to come from known contacts.
With Bitcoin trading at approximately $72,300 and the broader crypto market capitalization above $1.4 trillion at the time of this incident, the $50 million Radiant hack represents a fraction of a percent of total market value. However, the sophistication of the attack and its cross-chain nature serve as a stark reminder that as the ecosystem grows, so too does the complexity and ambition of its adversaries.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
50M across four chains because someone opened a pdf. and we wonder why tradfi laughs at defi
the pdf vector is wild. you can have a 3-of-11 multisig and it means nothing if the signing machines are already compromised
3-of-11 multisig defeated by a pdf attachment. the security model was theater if the signing devices themselves are compromised
3-of-11 multisig and nobody thought to check if the signing machines were clean. the hardware was the vulnerability, not the smart contracts
hardware signing devices that display transaction details before signing are the only real defense here. software wallets on a compromised machine is game over
the fake contractor impersonation is textbook DPRK. same playbook as the Ronin bridge attack, just a more sophisticated delivery method
same playbook because it keeps working. fake linkedin profile, fake github repos, weaponized docs. protocols need dedicated opsec teams not just smart contract auditors
DPRK using fake linkedin profiles and weaponized PDFs since 2022 and protocols still dont background check their contributors. $50M across 4 chains because someone opened an attachment
hardware signing devices displaying full transaction calldata before signing is the bare minimum. the fact that Radiant didnt have this in 2024 is negligent
DPRK threat groups have stolen over $3B from crypto projects now. supply chain attacks via fake contractors are their bread and butter and most protocols have zero countermeasures
50M stolen across 4 chains in minutes and the protocol still operates. defi resilience or reckless persistence, you decide
Jisoo K. protocols need opsec teams 100%. but nobody budgets for it until they lose $50M to a PDF