Radiant Capital

avoid.net/radiant-capital→18/100·92% conf.

[AI-DRAFTED · AWAITING VERIFICATION]

18/100

[CRITICAL]92% conf.

Summary

Radiant Capital is a cross-chain lending protocol that suffered two exploits in 2024 totaling approximately $54.5 million. The critical October 2024 attack ($50M) compromised 3 of 11 multisig signers via InletDrift macOS malware delivered through Telegram social engineering, and was attributed by Mandiant with high confidence to UNC4736, a North Korean state-sponsored threat actor also tracked as AppleJeus and Citrine Sleet. The same group subsequently attacked Drift Protocol for $285 million in April 2026. No funds have been recovered; RDNT token has declined approximately 99.7% and was delisted from major exchanges.

Have evidence about Radiant Capital?

No evidence submitted yet — be the first.

On-chain audit

Editorial decisions, corrections, and updates are anchored on Solana.

audit log →version history →

Protocol Overview

Radiant Capital is a cross-chain lending and borrowing protocol initially launched on Arbitrum in 2023, later expanding to BNB Chain, Ethereum mainnet, and Base. The protocol uses LayerZero's Omnichain Fungible Token (OFT) standard to enable unified liquidity across chains. Radiant V2 launched in early 2024 with an 11-of-11 multisig governance structure for administrative operations. The native token RDNT is used for governance and liquidity incentives. Prior to the October 2024 exploit, the protocol held approximately $300 million in total value locked across all chains.

Sources

[1]MEDDeFi Llama — Radiant TVLon chain

January 2024 Flash Loan Exploit — $4.5M

On January 3, 2024, Radiant Capital suffered a flash loan exploit on Arbitrum resulting in approximately $4.5 million in losses. The attack exploited a rounding vulnerability in the protocol's lending pool implementation, specifically in the burn mechanism when the pool's total supply and underlying assets were manipulated via flash loan to create a rounding discrepancy. The vulnerability was a known issue in Compound/Aave fork implementations. Radiant paused operations on Arbitrum and later resumed after patching.

Sources

[1]HIGHRadiant Capital Post-Mortem (Medium)official

October 2024 Exploit — $50M Multisig Compromise

On October 16, 2024, Radiant Capital suffered a catastrophic exploit resulting in approximately $50 million in losses across Arbitrum and BNB Chain. The attackers compromised 3 of the 11 multisig signers' devices using InletDrift, a sophisticated macOS malware delivered through a Telegram social engineering campaign. The attackers posed as a former contractor sharing a PDF document purportedly related to a smart contract audit. The malware established persistent backdoor access to the compromised devices, allowing the attackers to inject malicious transactions during a routine emissions adjustment multisig operation. The compromised signers' devices displayed legitimate-looking transaction data while the actual on-chain transactions contained different payloads that transferred ownership of lending pool contracts to attacker-controlled addresses. Funds were drained from lending pools on both Arbitrum and BNB Chain within minutes of the ownership transfer.

Sources

[1]HIGHRadiant Capital Incident Update 2024-12-06 (Medium)official
[2]HIGHRadiant Capital Loses $50M to Blockchain Exploit (CoinDesk)news article
[3]HIGHRadiant Links $50M Crypto Heist to North Korean Hackers (BleepingComputer)news article

DPRK/UNC4736 Attribution

On December 6, 2024, Radiant Capital publicly attributed the October exploit to UNC4736 (also tracked as AppleJeus, Citrine Sleet, and Gleaming Pisces), a North Korean state-sponsored threat actor assessed to be a subunit of the Lazarus Group. The attribution was conducted by Mandiant, Google's cybersecurity subsidiary, with high confidence. Key indicators included: the social engineering methodology (impersonation via Telegram), the InletDrift malware family (previously linked to DPRK campaigns), the timing patterns of the attack staging, and on-chain fund flow overlaps with prior DPRK-attributed operations. The same UNC4736 group was subsequently attributed to the April 2026 Drift Protocol exploit ($285 million), where similar social engineering and malware delivery techniques were employed over a six-month infiltration campaign. The Drift attribution was corroborated by Chainalysis, Elliptic, and TRM Labs, all of which cited the Radiant Capital attack as a precursor operation by the same group.

Sources

[1]HIGHRadiant Capital Says North Korean Hackers Behind $50M Attack (CoinDesk)news article
[2]HIGHRadiant Links $50M Crypto Heist to North Korean Hackers (BleepingComputer)news article
[3]MEDtayvano lazarus-bluenoroff-research: radiant.md (GitHub)research

Connection to Drift Protocol Attack

The April 2026 Drift Protocol exploit ($285 million) was attributed to the same UNC4736 threat actor by Drift Protocol itself, Chainalysis, Elliptic, and TRM Labs. On-chain fund flows from the Drift staging phase traced back to wallets previously linked to the Radiant Capital exploit. Both attacks shared: (1) social engineering via Telegram using fake professional identities, (2) malware delivered through seemingly legitimate development tools, (3) multisig compromise targeting governance key holders, and (4) similar laundering patterns through Tornado Cash and cross-chain bridges. The Drift attack represented a significant escalation in sophistication — the social engineering campaign lasted six months versus weeks for Radiant, and the total take was nearly six times larger.

Sources

[1]HIGHDrift Protocol Exploited for $286M in Suspected DPRK-Linked Attack (Elliptic)research
[2]HIGHThe Drift Protocol Hack: How Privileged Access Led to a $285M Loss (Chainalysis)research
[3]MED$285M Drift Hack Traced to Six-Month DPRK Social Engineering Operation (The Hacker News)news article

Market Impact and Recovery Status

Following the October 2024 exploit, Radiant Capital's TVL collapsed from approximately $300 million to under $10 million. The RDNT governance token declined from approximately $0.07 at the time of the exploit to under $0.001 by early 2026 — a decline of approximately 99.7%. Major exchanges including Binance, OKX, and Crypto.com delisted RDNT in early 2025. No stolen funds have been recovered. The stolen ETH, worth approximately $50 million at the time of the exploit, appreciated to approximately $103 million as ETH prices rose, effectively doubling the attackers' gains. The protocol has not resumed full operations and governance activity has been minimal since the exploit.

Sources

[1]MEDDeFi Llama — Radiant TVLon chain

Timeline

2023-07-01

Radiant Capital V2 launches on Arbitrum with cross-chain lending via LayerZero.

DeFi Llama

2024-01-03

Flash loan exploit on Arbitrum results in $4.5M loss from rounding vulnerability.

Radiant Capital Medium

2024-10-16

Critical exploit: $50M stolen via compromised multisig (3 of 11 signers) on Arbitrum and BNB Chain.

CoinDesk

2024-12-06

Radiant publicly attributes October exploit to UNC4736 (DPRK/Lazarus) based on Mandiant investigation.

CoinDesk

2025-01-15

Major exchanges (Binance, OKX, Crypto.com) delist RDNT token.

BleepingComputer

2026-04-01

Drift Protocol exploited for $285M by same UNC4736 group; on-chain flows link to Radiant staging wallets.

Chainalysis

2026-04-05

Drift Protocol publicly confirms UNC4736 attribution and links attack to Radiant Capital hackers.

Crypto News

model: claude-code-investigator

generated: 5/10/2026, 6:08:15 AM

last updated: 5/10/2026, 6:08:15 AM

avoid.net — verified advice for a post-truth world