Radiant Capital Hacker stole $53 million and increased it to $94 million through Ethereum transactions | Analysis of the methods used by the North Korean hacker group AppleJeus

The hacker who stole 53 million dollars from Radiant Capital last October increased the assets to 94 million dollars through precise Ethereum swing trading. On-chain data shows that they realized arbitrage by selling 9,631 ETH at a high price and repurchasing it at a low price, currently holding 14,436 ETH and 35.29 million DAI. Security experts have identified the attack as originating from the North Korean AppleJeus organization, and the possibility of recovering the funds is extremely low. This article combines on-chain analysis to reveal the hacker's trading path and warnings about DeFi security.

Hacker Ethereum Trading Strategies: High Position Trap Cashing and Low Position Accumulation

According to a tracking report released by on-chain analyst EmberCN on August 19, hackers sold 9,631 ETH for 43.9 million DAI when the price of ETH reached $4,562; then, when the price corrected to $4,096, they repurchased 2,109.5 ETH with 8.64 million DAI. This operation not only locked in profits but also reduced the cost of holding positions. Currently, the wallet holds 14,436 ETH and 35.29 million DAI, with a total value of $94.63 million, representing a 78% increase from the initial stolen amount.

Review of the Radiant Capital Attack Incident: macOS Malware Breaches Multi-Signature Wallet

In October 2024, the cross-chain DeFi protocol Radiant Capital experienced one of the most severe attacks of the year. Hackers infiltrated the core team's multi-signature wallet using a macOS-specific malware called INLETDRIFT, stealing assets from lending pools such as Arbitrum. After the incident, the attackers quickly converted the stolen goods into 21,957 ETH (worth $53 million at the time) and held them long-term until the current bull market.

The Tactics of North Korean Hacker Group AppleJeus and the Challenges of Fund Recovery

Multiple blockchain security agencies attributed this attack to the North Korean AppleJeus group, which is known for targeting exchanges and DeFi protocols. Although Radiant Capital is working with security firms such as the FBI, Chainalysis, and SEAL911 to investigate, funds continue to flow through on-chain transactions on the Ethereum network, making recovery hopes slim. This is the second attack Radiant has faced in 2024, having previously suffered a $4.5 million flash loan attack.

On-chain data reveals the hacker's position structure and market impact

Blockchain analysis company Lookonchain pointed out that hackers dominated asset appreciation by holding positions during the ETH rally. Currently, ETH accounts for over 80% of their asset portfolio, significantly exposing them to cryptocurrency volatility risks. Notably, the hackers chose to stabilize a portion of their profits in stablecoins (holding 35.29 million DAI), possibly reserving space for subsequent operations or cashing out.

DeFi Security Insights: Systemic Threats Still Present in 2025

This incident once again highlights the security vulnerabilities in the DeFi sector. The multi-signature wallet was breached by macOS malware, reflecting weaknesses in hardware device protection. With the hackers' funds rolling to $94 million, their subsequent actions (such as concentrated dumping or mixing operations) could have a chain reaction effect on the market. Security experts urge project teams to strengthen multi-signature permission management and conduct security audits on devices.

Conclusion

The Radiant Hacker incident demonstrates a trend of professionalization in modern crypto crime: from technical infiltration and asset transfer to on-chain value appreciation, forming a complete closed loop. Although on-chain analysis can trace the flow of funds, cross-border law enforcement and the recovery of illicit funds still face substantial obstacles. For DeFi projects, it is necessary to build a comprehensive security system from smart contracts to the device layer, rather than relying solely on multi-signature mechanisms.