Radiant Capital, a prominent decentralized cross-chain lending protocol, has fallen victim to a devastating exploit that drained approximately $50 million from its Arbitrum and BNB Chain deployments on October 16, 2024. The attack, which security researchers are calling one of the most sophisticated DeFi hacks in recent memory, sent shockwaves through the decentralized finance community as Bitcoin traded near $67,600 and the broader crypto market showed signs of renewed bullish momentum.
The Exploit Mechanics
According to on-chain analysis from Arkham Intelligence and Web3 security firm Ancilia, the attack began on Radiant’s Ethereum Layer 2 Arbitrum instance around 17:09 UTC before spreading to the protocol’s BNB Chain deployment. The attacker deployed a backdoor contract that exploited the protocol’s multi-signature wallet system, gaining unauthorized access to the transferFrom function within Radiant’s smart contracts.
The transferFrom exploit allowed the attacker to move tokens from user accounts to controlled wallet addresses. Ancilia identified the malicious contract at address 0xd50cf00b6e600dd036ba8ef475677d816d6c4281 and immediately warned users to revoke all approvals for Radiant contract addresses.
The suspected exploiter’s wallet accumulated over $32 million worth of Arbitrum-based assets and approximately $18 million in tokens on BNB Chain, bringing total losses to roughly $50 million. Ethereum and Base deployments appeared unaffected, though security teams urged caution across all Radiant contracts.
Affected Systems
Radiant Capital operates as an omnichain money market built on LayerZero, enabling users to deposit, borrow, and manage cryptocurrency across multiple blockchain networks. The protocol leverages Ethereum blockchain security through the Arbitrum Layer 2 scaling system and operates under a community-driven governance model where users participate through RDNT lockers.
The attack specifically targeted the protocol’s BNB Chain and Arbitrum instances, two of Radiant’s most active markets. Tony Ke, security research lead at Fuzzland, confirmed that the attack profile suggested someone was either phished, had a compromised computer, or an inside attacker led to private key leakage through the multi-sig setup.
Radiant immediately paused all markets on Base and the mainnet as a precautionary measure while the investigation continued.
The Mitigation Strategy
In the aftermath of the exploit, Radiant Capital engaged cybersecurity firm Mandiant to conduct a thorough investigation. The analysis revealed that the attack originated on September 11, 2024, when a Radiant developer received a Telegram message spoofing a former contractor, tricking them into downloading a malicious ZIP file containing macOS malware dubbed “InletDrift.”
The malware established a persistent backdoor on the developer’s device, enabling attackers to compromise the routine multi-signature signing process. The attack bypassed hardware wallet security and multiple verification layers by displaying benign transaction data on front-end interfaces while malicious transactions were signed in the background. Traditional checks and simulations, including Tenderly simulations, showed no obvious discrepancies.
Mandiant attributed the attack with high confidence to UNC4736, a North Korean state-affiliated threat group also known as “Citrine Sleet” or “AppleJeus.” This is the same group previously exposed for exploiting a zero-day vulnerability in Google Chrome to deploy rootkits.
Lessons Learned
The Radiant Capital exploit exposes critical vulnerabilities in the multi-signature security model that many DeFi protocols rely on. Even industry-standard best practices — including transaction simulation, payload data verification, and hardware wallet usage — proved insufficient against a sophisticated state-sponsored attack. The incident underscores that DeFi protocols need device-level security solutions that go beyond traditional transaction verification.
The attack also highlights the growing threat posed by nation-state actors in the cryptocurrency space. The U.S. Cybersecurity and Infrastructure Security Agency has previously warned that North Korean threat actors actively target cryptocurrency firms, exchanges, and DeFi protocols to generate and launder funds supporting state operations.
User Action Required
If you have interacted with Radiant Capital on Arbitrum or BNB Chain, immediately revoke all token approvals for Radiant contract addresses. Monitor your wallets for any unauthorized transactions and consider moving funds to fresh wallet addresses as a precaution. Stay informed through Radiant’s official communication channels for updates on the recovery process and any potential potential reimbursement plans. The platform is collaborating with U.S. law enforcement and zeroShadow to recover stolen funds.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.
$50M through a backdoor contract exploiting multisig. every defi protocol should be auditing their wallet infrastructure not just their smart contracts
bridge_patrol_ auditing smart contracts but ignoring wallet infrastructure is how you get Radiant. the multisig signers were the actual attack surface, not the code itself
the transferFrom exploit letting the attacker move tokens directly from user accounts is the nightmare scenario. no amount of personal wallet security helps when the protocol itself gets owned
transferFrom is the worst possible exploit vector because users dont need to have done anything wrong. you just wake up empty
wake up empty because the protocol you trusted had a backdoor in its multisig. no personal wallet security fixes protocol level exploits
multisig_cop waking up to an empty wallet because the protocol itself got owned is the worst feeling. your personal security means nothing when transferFrom gets exploited at the contract level
$50M gone and the malicious contract at 0xd50cf00b6e600dd036ba8ef475677d816d6c4281 was deployed and executed in minutes. imagine checking your wallet and your tokens are just gone
Ancilia flagged it fast but by then it was already done. cross-chain attacks are brutal because the attacker moves funds through bridges before anyone can react. speed is everything
ancilia flagged it fast but the damage was done in minutes. cross chain response time needs to be sub-second not sub-hour
the attacker deployed the malicious contract and drained 50M across arbitrum and BNB chain in minutes. multi-sig is only as strong as the signers vetting process