Developer Device Hack at Radiant Capital Grants Attackers the Power to Authorize $50 Million in Transactions
4,81
11-14-2024
4214
11 min.
Analysis of the Radiant Capital attack, where hackers siphoned nearly $50 million by compromising developer devices and laundering the stolen funds. The article explores key attack phases and the methods used to conceal the source of funds.
→ Summary of Events
→ Investigation Background
→ Attack Overview
→ Token Theft
→ Further Cryptocurrency Movements
→ Flow of Cryptocurrency from Two Blockchain Addresses to Multiple Counterparties on Arbitrum and Binance Smart Chain Networks
→ Detailed Analysis of Address-Based Transactions Used for Laundering on Arbitrum Network
→ Detailed Analysis of Address-Based Transactions Used for Laundering on Binance Smart Chain
→ Conclusions
→ How to Protect Yourself from Fraudsters
→ Terms and Definitions
→ Investigation Background
→ Attack Overview
→ Token Theft
→ Further Cryptocurrency Movements
→ Flow of Cryptocurrency from Two Blockchain Addresses to Multiple Counterparties on Arbitrum and Binance Smart Chain Networks
→ Detailed Analysis of Address-Based Transactions Used for Laundering on Arbitrum Network
→ Detailed Analysis of Address-Based Transactions Used for Laundering on Binance Smart Chain
→ Conclusions
→ How to Protect Yourself from Fraudsters
→ Terms and Definitions
Get advice from AML Crypto experts
Fraud is a severe threat in today's world, impacting both individuals and businesses as criminal schemes grow increasingly sophisticated with technological advancements. A critical safeguard is personal vigilance, caution, and awareness of possible fraud techniques, as demonstrated in this case.
An effective strategy in combating fraud involves thinking like an attacker: understanding their motives, methods, and steps. Such an approach allows one to anticipate potential schemes, analyze them, and develop ways to protect oneself and one’s assets.
Throughout this article, you'll encounter blockchain-related terms, which can be reviewed in a glossary at the end.
An effective strategy in combating fraud involves thinking like an attacker: understanding their motives, methods, and steps. Such an approach allows one to anticipate potential schemes, analyze them, and develop ways to protect oneself and one’s assets.
Throughout this article, you'll encounter blockchain-related terms, which can be reviewed in a glossary at the end.
Summary of Events
On October 16, 2024, the Radiant Capital project was hit by an attack that led to the loss of around $50 million.
- Radiant Capital is a decentralized finance (DeFi) protocol aimed at creating a unified omnichain money market that enables users to deposit and borrow various assets across different blockchains.
Hackers compromised the devices of three key developers, trusted DAO members, by deploying sophisticated malware. Despite the developers' devices being secure and geographically dispersed, attackers bypassed the protections and signed unauthorized transactions.
The attack went undetected as the interface displayed accurate data, while unauthorized transactions were processed covertly. The breach occurred during a standard multisignature token issuance update, with all standard procedures and checks followed. External audits from SEAL911 and Hypernative confirmed that the breach was indistinguishable in the verification process.
The attack went undetected as the interface displayed accurate data, while unauthorized transactions were processed covertly. The breach occurred during a standard multisignature token issuance update, with all standard procedures and checks followed. External audits from SEAL911 and Hypernative confirmed that the breach was indistinguishable in the verification process.
SEAL 911 is an initiative created for secure, accessible contact with a team of highly qualified security experts in emergencies.
Hypernative is a cybersecurity platform specifically designed to protect digital assets and Web3 infrastructure, offering tools for real-time threat monitoring, analysis, and prevention.
The attackers withdrew approximately $50 million from platforms on Arbitrum and BSC by exploiting open approvals for user withdrawals. Radiant strongly advised all users to revoke approvals for smart contracts across all blockchain networks.
Radiant Capital’s DAO is collaborating with law enforcement agencies and cybersecurity company ZeroShadow to freeze the stolen assets and identify the perpetrators.
Radiant Capital’s DAO is collaborating with law enforcement agencies and cybersecurity company ZeroShadow to freeze the stolen assets and identify the perpetrators.
Investigation Background
We chose to analyze the fund movements from the victim's addresses, tracing the entire path of the stolen assets and identifying the perpetrators' methods at each stage. Our tool, Bholder, allows us to visualize this process effectively.
BHolder's connection graph, showing all cryptocurrency flows in this incident.
Attack Overview
The primary objective of the attackers was to obtain signatures to approve transactions via multisignature wallets. They successfully hacked several devices—at least three, though the exact number is unknown. Displaying transactions that appeared legitimate in the interface, the hackers gained access to crypto assets by leveraging the already provided signatures.
Once the developers approved the transactions, the compromised devices altered them to malicious requests and re-sent them to hardware wallets for signatures. Safe Wallet reported an error, leading to further signing attempts, enabling the attackers to collect the necessary signatures and complete their attack.
Despite checks through Tenderly and other tools, unauthorized transactions appeared legitimate.
Once the developers approved the transactions, the compromised devices altered them to malicious requests and re-sent them to hardware wallets for signatures. Safe Wallet reported an error, leading to further signing attempts, enabling the attackers to collect the necessary signatures and complete their attack.
Despite checks through Tenderly and other tools, unauthorized transactions appeared legitimate.
Token Theft
BHolder connection graph demonstrating cryptocurrency received by address 0x0629b1048298ae9deff0f4100a31967fb3f98962.
Crypto assets worth the following amounts were stolen from smart contracts owned by Radiant Capital as a result of the attack:
Upon receiving these tokens on the main hacker wallet - 0x97a05becc2e7891d07f382457cd5d57fd242e4e8, approximately two main tokens were used to further launder funds.
As of now, tokens from the incident span three blockchain networks: Arbitrum, Ethereum, and Binance Smart Chain. The hacker mixes the cryptocurrency across blockchain networks, ultimately funneling funds to two addresses in three blockchains (Arbitrum, BSC, and Ethereum):
These addresses are used for the final handling and storage of the stolen funds, as well as for attempts to conceal their trails on the blockchain.
- 150.91 WBTC,
- 3,840,364.73 ARB,
- 2,353.74 WETH,
- 481,392.51 USDC,
- 161,514.30 USDT,
- 44,415.67 DAI,
- 8,469.86 WBNB,
- 470.43 ETH,
- 303,590.14 USDC,
- 451,482.02 BSC-USD,
- 160.35 BTCB,
- 220.69 wBETH.
Upon receiving these tokens on the main hacker wallet - 0x97a05becc2e7891d07f382457cd5d57fd242e4e8, approximately two main tokens were used to further launder funds.
As of now, tokens from the incident span three blockchain networks: Arbitrum, Ethereum, and Binance Smart Chain. The hacker mixes the cryptocurrency across blockchain networks, ultimately funneling funds to two addresses in three blockchains (Arbitrum, BSC, and Ethereum):
- 0x8b75e47976c3c500d0148463931717001f620887 [25] (Arbitrum и Ethereum),
- 0xcf47c058cc4818ce90f9315b478eb2f2d588cc78 [26] (BSC).
These addresses are used for the final handling and storage of the stolen funds, as well as for attempts to conceal their trails on the blockchain.
Further Cryptocurrency Movements
BHolder's connection graph, showing the division of the total cryptocurrency flow between two key addresses.
This section of the article examines the distribution of stolen cryptocurrency to two blockchain addresses across three blockchain networks: Arbitrum, BSC, and Ethereum:
In addition to proceeds from conversions (swaps), it can be observed that yet another significant counterparty to these two blockchain addresses is a third address belonging to the hacker. This is evident from large transactions directed from this address to both mentioned addresses involved in the incident.
0x8b75e47976c3c500d0148463931717001f620887 (Arbitrum and Ethereum) not only accumulates stolen tokens but also sends part of them to a designated "storage" address, transferring 707.053640874178035263 ETH on the Ethereum network (equivalent to $2,035,455.32).
Thus, these blockchain addresses play a crucial role in asset distribution, aggregating funds, and preparing them for further transmission to other storage or anonymous wallets to obfuscate transaction chains and hide the trails.
- 0x8b75e47976c3c500d0148463931717001f620887 [25] (Arbitrum и Ethereum),
- 0xcf47c058cc4818ce90f9315b478eb2f2d588cc78 [26] (BSC).
In addition to proceeds from conversions (swaps), it can be observed that yet another significant counterparty to these two blockchain addresses is a third address belonging to the hacker. This is evident from large transactions directed from this address to both mentioned addresses involved in the incident.
0x8b75e47976c3c500d0148463931717001f620887 (Arbitrum and Ethereum) not only accumulates stolen tokens but also sends part of them to a designated "storage" address, transferring 707.053640874178035263 ETH on the Ethereum network (equivalent to $2,035,455.32).
Thus, these blockchain addresses play a crucial role in asset distribution, aggregating funds, and preparing them for further transmission to other storage or anonymous wallets to obfuscate transaction chains and hide the trails.
Flow of Cryptocurrency from Two Blockchain Addresses to Multiple Counterparties on Arbitrum and Binance Smart Chain Networks
BHolder connection graph demonstrating cryptocurrency distribution across blockchain addresses on the Arbitrum network.
The graph provides a detailed trace of transactional activity from blockchain address 0xb7779da5386db9163be64a46a1a2341a08dfa445 [28], which made transfers totaling 12,293.92 ETH to 15 different addresses that display similar behavioral patterns.
Key characteristics of these patterns include:
Key characteristics of these patterns include:
1
Transaction Date: All transfers were made on the same day, suggesting a pre-planned operation to distribute funds.
2
Transaction Volumes: Transfer amounts show consistency, giving the impression of a coordinated action. Identical volumes and timeframes may indicate an attempt to disguise the origin of funds by dividing them into standardized transactions.
These observations suggest that the addresses receiving these transfers may be acting in synchronization, following a common tactic for obfuscating traces.
BHolder 2 connection graph, showing cryptocurrency distribution across blockchain addresses on the BNB network.
The graph shows a similar behavior pattern for blockchain address 0x62dc783c63be0ea579fdb0922d25f15355d89041 [29]. This address made transfers to 31 recipients on Binance Smart Chain, totaling 32,779.17 BNB. Like address 0xb7779da5386db9163be64a46a1a2341a08dfa445 [28] described above, this address displays similar signs:
1
Consistent Transaction Date: All transfers occurred at the same time, indicating a pre-arranged distribution of funds.
2
Uniform Transaction Volumes: Transfer amounts remain consistent, further suggesting a deliberate division of funds into standard transactions to mask their origin.
These parallels between blockchain addresses across different networks reveal a systematic approach by the perpetrators, aiming to create a transaction structure that complicates tracking and helps obscure the flow of cryptocurrency.
Detailed Analysis of Address-Based Transactions Used for Laundering on Arbitrum Network
BHolder connection graph showing cryptocurrency flow from Arbitrum to Ethereum.
This section examines the interaction with bridges, which play a crucial role in moving crypto assets between blockchain networks. In cryptocurrency contexts, a bridge is a tool that allows digital assets to be transferred from one blockchain network to another, retaining their value and functionality.
Each address represented in the graph that received cryptocurrency from 0xb7779da5386db9163be64a46a1a2341a08dfa445 [28] used bridges to transfer assets from Arbitrum to Ethereum, complicating efforts to trace their criminal origin. For these operations, bridges such as Hop, Stargate, and Synapse were employed. A key characteristic of this address group is that, after using the bridge, recipients accumulated the funds on the new network (Ethereum), making it more difficult to analyze the initial source of funds.
Key features of these addresses include:
Each address represented in the graph that received cryptocurrency from 0xb7779da5386db9163be64a46a1a2341a08dfa445 [28] used bridges to transfer assets from Arbitrum to Ethereum, complicating efforts to trace their criminal origin. For these operations, bridges such as Hop, Stargate, and Synapse were employed. A key characteristic of this address group is that, after using the bridge, recipients accumulated the funds on the new network (Ethereum), making it more difficult to analyze the initial source of funds.
Key features of these addresses include:
1
Temporal Synchronization: All addresses demonstrated similar activity on October 18, 2024, suggesting coordinated actions.
2
Fund Accumulation: After bridging, addresses held funds in their accounts, possibly preparing them for further movement, indicating a potential next phase of planned usage.
Hop Protocol is a multichain bridge that allows users to quickly and affordably transfer crypto assets between Ethereum mainnet and Arbitrum, Optimism, and Polygon. Launched in 2021, it enables users to send popular cryptocurrencies like ETH, MATIC, and USDT without long wait periods for fund withdrawals.
Stargate Finance is a liquidity protocol that simplifies cross-chain asset transfers using a unique bridge mechanism, enabling low-cost and high-speed asset transfers across different blockchains. Stargate allows users to swap tokens across networks.
Synapse is another cross-chain protocol that allows users to exchange assets across different blockchains, focusing on transaction security and speed to facilitate easy asset movement.
Currently, cryptocurrency assets on the Ethereum network are concentrated at the following addresses:
0x44e1fd07928777212578e5ca03004b99e0dda01e [90]
0x803536aad020da0a27b36aa2a847867070276045 [91]
0x4afbd65e78bf55cf95b6d4699f0edfe4cd180b6f [92]
0x491c24a82c0b042cf34bfa59e340aff5f98b44b1 [93]
0xdecf6c2ee70d2b96f55073331347bdf6f8d25668 [94]
0x5b9aa4832af1d559ee29053403e9b94e242b534c [95].
These addresses will likely be used for further fund transfers, complicating the tracing process and obfuscating transaction structures.
Actions aimed at "cleaning" the funds often involve interaction with multiple networks and the use of intermediary addresses to reduce traceability.
0x44e1fd07928777212578e5ca03004b99e0dda01e [90]
0x803536aad020da0a27b36aa2a847867070276045 [91]
0x4afbd65e78bf55cf95b6d4699f0edfe4cd180b6f [92]
0x491c24a82c0b042cf34bfa59e340aff5f98b44b1 [93]
0xdecf6c2ee70d2b96f55073331347bdf6f8d25668 [94]
0x5b9aa4832af1d559ee29053403e9b94e242b534c [95].
These addresses will likely be used for further fund transfers, complicating the tracing process and obfuscating transaction structures.
Actions aimed at "cleaning" the funds often involve interaction with multiple networks and the use of intermediary addresses to reduce traceability.
Detailed Analysis of Address-Based Transactions Used for Laundering on Binance Smart Chain
BHolder connection graph showing cryptocurrency flow from BSC to Ethereum.
On Binance Smart Chain (BSC), the perpetrator employed an action model slightly different from the scheme on Arbitrum, where cryptocurrency was sent through a bridge to another network on new blockchain addresses. In this case, using address 0x62dc783c63be0ea579fdb0922d25f15355d89041 [29], the hacker distributed crypto assets to multiple addresses and then sent them to various services, including DODO, Stargate, 0x, DLN, and Kyber. Following the network transition, the hacker received the assets back at the originating addresses and sent them to new ones. For ease of analysis and visualization, all these services are consolidated into a single node - [80].
DODO is a decentralized exchange launched in August 2020, offering users the ability to trade various assets across multiple blockchains, including Ethereum and Binance Smart Chain.
0x is a protocol that provides infrastructure for decentralized exchanges on Ethereum. It enables developers to integrate exchange functions into their applications using smart contracts for order processing.
DLN is another protocol focusing on liquidity provision for decentralized applications, allowing users to provide liquidity and earn rewards.
Kyber Network is a decentralized exchange protocol that allows users to swap tokens directly from their wallets, aggregating liquidity from various sources to ensure users get the best prices.
In the laundering process, the hacker repeatedly transferred assets to various services and received them back at the originating addresses, then consolidated the overall fund flow, including cryptocurrency from other sources, at five addresses:
0x589e8b991c2afd2d8d4def8f7f0cbf67073a9b19 [85],
0x759f1ad55a044f22c96b32c5a359cfa52e34c98f [86],
0x9beeecc34fad6367c991fd6b701fdc477e54ce34 [87],
0xcd69d20b41fddbf1c37e51a590628367a742d50f [88],
0xecae977e56c2480dcae69f7149dc4b13d452b7cf [89].
As of now, these assets remain at these addresses for further use.
0x589e8b991c2afd2d8d4def8f7f0cbf67073a9b19 [85],
0x759f1ad55a044f22c96b32c5a359cfa52e34c98f [86],
0x9beeecc34fad6367c991fd6b701fdc477e54ce34 [87],
0xcd69d20b41fddbf1c37e51a590628367a742d50f [88],
0xecae977e56c2480dcae69f7149dc4b13d452b7cf [89].
As of now, these assets remain at these addresses for further use.
Conclusions
Summing up the current stage of our investigation into the perpetrator’s criminal scheme, we note that the theft and laundering processes in this incident are characterized by a high level of complexity and variety in the tools used, demonstrating the advanced technical skills of the hacker responsible for this crime.
The perpetrator repeatedly used bridges and swaps, dispersing the total flow of funds across multiple addresses and then re-consolidating them at designated nodes. This was done to further redistribute assets across numerous blockchain addresses and services, making their movement difficult to trace.
A potential endpoint for cashing out the funds could be a cryptocurrency exchange, which, upon detecting the original source of the assets, would likely block withdrawal attempts. In collaboration with law enforcement, the exchange may also assist in identifying the perpetrator(s) and bringing their actions to light.
We will continue to monitor the perpetrator’s activities and keep you updated on any subsequent actions and steps taken in the context of this case.
The perpetrator repeatedly used bridges and swaps, dispersing the total flow of funds across multiple addresses and then re-consolidating them at designated nodes. This was done to further redistribute assets across numerous blockchain addresses and services, making their movement difficult to trace.
A potential endpoint for cashing out the funds could be a cryptocurrency exchange, which, upon detecting the original source of the assets, would likely block withdrawal attempts. In collaboration with law enforcement, the exchange may also assist in identifying the perpetrator(s) and bringing their actions to light.
We will continue to monitor the perpetrator’s activities and keep you updated on any subsequent actions and steps taken in the context of this case.
How to Protect Yourself from Fraudsters
Protection against fraud in the cryptocurrency field requires thorough knowledge and understanding of blockchain technology. Blockchain is a promising yet complex area, demanding a responsible approach and a deep understanding of the fundamentals. Before delving into the world of cryptocurrencies, it’s essential to grasp the core principles of how this technology works. Mistakes arising from a lack of knowledge can lead to serious financial losses, especially given the responsibility associated with managing digital assets.
Before starting with blockchain platforms and investing in cryptocurrency, it is recommended to study the basic concepts: transaction principles, wallet types, security methods, and ways to protect against fraudulent schemes. The cryptocurrency field is evolving rapidly, and staying informed about new tools and trends can help minimize risks.
In our blog, you will find materials and guides that cover key aspects of cryptocurrency and blockchain, helping even beginners navigate this sphere confidently.
For professional support, our team of experts is ready to consult on the fundamentals of cryptography, analyzing complex operations, and the nuances of investing, secure storage, and asset regulation. We will select optimal solutions tailored to your tasks and needs.
If you encounter cryptocurrency fraud, contact us via Telegram or email. We will analyze the situation and propose possible steps to recover assets or mitigate losses.
In our blog, you will find materials and guides that cover key aspects of cryptocurrency and blockchain, helping even beginners navigate this sphere confidently.
For professional support, our team of experts is ready to consult on the fundamentals of cryptography, analyzing complex operations, and the nuances of investing, secure storage, and asset regulation. We will select optimal solutions tailored to your tasks and needs.
If you encounter cryptocurrency fraud, contact us via Telegram or email. We will analyze the situation and propose possible steps to recover assets or mitigate losses.
Terms and Definitions
- Blockchain– A technology representing a chain of linked blocks. Each block stores specific information and contains a reference to the previous block.
- Blockchain Network– A unique ecosystem that enables users not only to conduct transactions with cryptocurrency but also to create and use third-party applications, offer various services, and create tokens.
- DeFi Protocol– A system composed of special programs—smart contracts—operating on a blockchain that enables operations like cryptocurrency exchanges, loans, and deposits without the involvement of banks or other intermediaries.
- Hacker Attack– An activity by a perpetrator aimed at data theft or disruption of computer operation and programs through unauthorized access to a computer.
- Token– A digital asset on the blockchain that can be used for operations such as purchasing goods, exchanging, and investing.
- Smart Contract– A program that automatically executes specific actions when certain conditions are met.
- Proxy Contract– A special smart contract that acts as an intermediary between a person and another smart contract.
- Malicious Software (Malware)– A program designed to harm a computer by stealing data or disrupting its operation.
- Token Swap– The process of exchanging one cryptocurrency for another using decentralized services powered by smart contracts.
- Bridge– A technology that enables the transfer of tokens from one blockchain network to tokens in another blockchain network.
- SOP (Standard Operating Procedure)– A step-by-step guide or instruction that defines the order of performing specific tasks and actions for company or organization employees. SOPs are intended to standardize processes, ensuring they are performed in accordance with established norms and requirements, which is especially crucial in companies with high-quality standards or strict security requirements.
- Safe Wallet– A cryptocurrency wallet designed for the secure storage, management, and use of digital assets such as cryptocurrencies and tokens. Several well-known solutions are often referred to as "Safe Wallet," including:
- Safe – A multisig wallet built on smart contracts, used to manage digital assets on blockchains like Ethereum and other EVM-compatible networks. It is particularly popular in corporate settings and among DeFi professionals, as it offers a high degree of security and control over assets.
- SafePal – A hardware cryptocurrency wallet providing a high level of security by storing private keys offline. SafePal supports dozens of blockchains and thousands of tokens, and it comes with a mobile app that allows users to manage assets easily while keeping them secure.
- Tenderly– A platform for developing, monitoring, and debugging smart contracts, designed for blockchain developers on Ethereum and other compatible networks. Tenderly simplifies the process of creating, testing, and monitoring smart contracts, providing developers with powerful tools for all stages of their lifecycle.
- Hardware Wallet– A physical device designed for the secure storage of cryptocurrency. It stores private keys offline (without internet connection), significantly reducing the risk of hacking or unauthorized access. Hardware wallets are used for long-term storage of crypto assets and protection from cyberattacks, as they are isolated from potential threats inherent to network-connected devices.
Want to learn more and get expert advice?
Leave your email and we will contact you promptly!
Leave your email and we will contact you promptly!
Check blockchain address using Btrace
In seconds, determine the risk level of the counterparty’s address, find out the source of his funds and make an informed decision about interacting with him.
PREVENT FUNDS BLOCKING
PROTECT YOURSELF FROM SCAMMERS
AVOID TROUBLE WITH THE LAW
We also recommend