A North Korean threat actor was responsible for the $50 million heist that Radiant Capital fell victim to in October, the decentralized finance (DeFi) project says.

The incident occurred on October 16, after three developers got infected with malware and their devices were used to sign fraudulent transactions during a routine multi-signature emissions adjustment process.

Radiant published a post-mortem on October 18 explaining that the attackers deceived the Safe{Wallet} verification, which displayed legitimate transactions while the fraudulent ones were being performed in the background.

This led to the draining of roughly $50 million from core markets. Subsequently, the attackers exploited open approvals and withdrew funds from user accounts.

Now, Radiant reveals that the attack started in September, when a developer received a Telegram message purporting to come from a trusted former contractor and which delivered a link to a zipped PDF, requesting feedback on a new job opportunity related to smart contract auditing.

Given that requests to review PDFs are normal and that the document came from a former contractor, the developer shared the file with others for feedback, which led to multiple devices being infected with Inletdrift, a sophisticated backdoor that enabled the attackers to stage the heist.

“The front-end interfaces displayed benign transaction data while malicious transactions were signed in the background. Traditional checks and simulations showed no obvious discrepancies, making the threat virtually invisible during normal review stages,” Radiant explains.

The hackers staged malicious smart contracts across Arbitrum, Base, Binance Smart Chain, and Ethereum, which were executed on October 16. Immediately after execution, they removed traces of the backdoor and related browser extensions.

Mandiant, which investigated the attack, has attributed the attack to a North Korea-linked threat actor tracked as UNC4736, also known as AppleJeus or Citrine Sleet, which is aligned with Pyongyang’s primary foreign intelligence service Reconnaissance General Bureau (RGB).

“Although the investigation is ongoing, Mandiant assesses with high-confidence that this attack is attributable to a Democratic People’s Republic of Korea (DPRK)-nexus threat actor,” Radiant notes.

Related: North Korea Deploying Fake IT Workers in China, Russia, Other Countries

Related: In Other News: CVE Turns 25, Henry Schein Data Breach, Reward for Shahid Hemmat Hackers

Related: The Elusive Goal of Network Security

Related: Analysis of North Korea’s Internet Traffic Shows a Nation Run Like a Criminal Syndicate