Stolen Ethereum funds accumulated by the hacker of Radiant Capital experience a significant increase, with a 93.5% gain.
==========================================================================================
In October 2024, a hacker managed to steal $53 million worth of Ethereum (ETH) from Radiant Capital, a decentralized finance (DeFi) platform. However, recent developments have shown that the hacker has nearly doubled their ill-gotten gains, highlighting the need for improved security measures in the DeFi sector.
The hacker strategically managed their ETH stash, converting a significant portion into stablecoins and holding the rest to capitalize on price appreciation. According to reports, they converted 3,091 ETH into $13.26 million worth of DAI stablecoins by August 2025. The remaining 12,326 ETH, currently worth approximately $58.6 million, has been held for nearly ten months, with selective cash-outs at opportune times. This patient strategy has nearly doubled the value of the stolen funds, growing the original $53 million to approximately $102 million by mid-2025.
The attackers exploited a vulnerability in Radiant Capital's multisignature wallet setup. They impersonated a former contractor via Telegram and sent a booby-trapped file disguised as a smart contract auditing report. This file delivered INLETDRIFT, a macOS backdoor malware capable of manipulating front-end transaction data. The malware enabled blind signing of malicious smart contract transactions that manipulated Radiant's systems to authorize the theft.
Despite the collaboration with security firms, Chainalysis, and law enforcement including the FBI, the stolen funds were effectively untraceable and unrecoverable. The hack exposed systemic vulnerabilities in DeFi security, especially concerning multisignature wallets and social engineering risks.
ZeroShadow, along with other Web3 security firms, was involved in the investigation of the breach. They corroborated Radiant's assessment and attributed the incident to North Korea-linked actors with "high confidence". It was also noted that the movements to Hyperliquid stemmed from Radiant users failing to revoke permissions, not the initial incident's stolen funds.
The Ethereum price surge, which has seen the cryptocurrency surging past $4,700 to mark a multi-year high, has played a major role in boosting the value of the stolen funds. The hacker's Ethereum holdings are currently valued at approximately $102.54 million, including the unsold ETH.
This case underscores the critical need for stronger, more sophisticated security controls in DeFi platforms. Developers must be vigilant against social engineering and malware compromising wallet authorization, and users must be cautious about granting permissions and regularly reviewing their account activities. A more proactive approach to security is essential to protect the growing DeFi ecosystem from similar attacks in the future.
[1]: Source 1 - Radiant Capital's official statement on the hack [2]: Source 2 - ZeroShadow's report on the Radiant Capital hack [3]: Source 3 - Chainalysis' analysis of the Radiant Capital hack
- The hacker's strategic approach to managing their stolen Ethereum (ETH) has nearly doubled the value of the initial $53 million, growing it to approximately $102 million by mid-2025, due in part to the Ethereum price surge that saw the cryptocurrency surpass $4,700.
- The attack on Radiant Capital, a decentralized finance (DeFi) platform, highlighted the need for improved security measures in the DeFi sector, particularly concerning social engineering risks and the vulnerability of multisignature wallets.
- Despite collaboration with security firms, law enforcement, and forensic analysis by sources such as Chainalysis, the stolen funds from Radiant Capital were found to be effectively untraceable and unrecoverable.
- The case serves as a reminder of the critical need for stronger, more sophisticated security controls in DeFi platforms, as a more proactive approach to security is essential to protect the growing DeFi ecosystem from similar attacks in the future.
