A North Korean hacking group known as “UNC4736,” also referred to as “Citrine Select” or “AppleJeus,” has been identified as the culprit behind a major cyberattack that stole $50 million worth of cryptocurrency from Radiant Capital, a decentralized finance (DeFi) company headquartered in Hong Kong.
Radiant Capital revealed on its website on December 6 that the hacking incident, which took place in October, was carried out by the North Korean-linked group. The announcement came after an investigation in collaboration with Mandiant, a cybersecurity firm under Google, confirmed UNC4736’s involvement.
DeFi platforms like Radiant Capital provide financial services that allow users to borrow, lend, and manage cryptocurrencies without the need for intermediaries like banks. Radiant Capital offers a platform where users can deposit, loan, and manage various types of cryptocurrencies.
The attack was traced back to a Telegram message received on September 11 by a Radiant Capital developer. The message, sent by a hacker posing as a “trusted former contractor,” included a malicious file disguised as a request to review a new project. Upon opening the file, the developer inadvertently gave the hacker access, leading to the breach.
UNC4736 is believed to be a sub-group of the infamous North Korean hacking organization “Lazarus Group,” which is linked to North Korea’s Reconnaissance General Bureau, the country’s top intelligence agency. The group has a long history of high-profile cyberattacks on global financial institutions, energy infrastructure, and cryptocurrency platforms.
In April, UNC4736 was implicated in attacks on financial and energy infrastructure in both the U.S. and Europe. At the time, the U.S. government warned that North Korea was targeting cryptocurrency firms, exchanges, and gaming companies as part of a broader strategy to secure state funds.
According to an October report from Microsoft, North Korean hackers have stolen more than $3 billion from cryptocurrency exchanges between 2017 and 2023. The funds are believed to support North Korea’s weapons development program, which faces heavy international sanctions.
Radiant Capital is now working with U.S. investigative authorities and blockchain analysis firm ZeroShadow to recover the stolen funds. Efforts are ongoing to track the movement of the stolen assets and prevent further misuse.
BY YOUNGNAM KIM [kim.youngnam@koreadaily.com]
