Radiant Capital Shuts Down After $50M North Korea-Linked Hack

Radiant Capital winds down after $50 million North Korea-linked hack

Radiant Capital is shutting down active operations after a $50 million exploit tied to North Korea-aligned attackers left the DeFi lending protocol unable to recover financially or secure fresh funding.

• $50 million crypto exploit
• North Korea-linked attackers
• Maintenance mode only
• TVL collapsed from $386.8 million to around $5 million

The protocol won’t disappear entirely. It will stay online in a maintenance state so users can withdraw assets, repay loans, and manage existing positions, but development, upgrades, and expansion are done. Radiant DAO said the protocol could no longer identify a viable route forward, and without recovered funds, new investment, or renewed growth, the numbers simply stopped working. Brutal, yes — but that’s what happens when a DeFi project gets kneecapped hard enough and the damage runs deeper than the code.

From fast growth to shutdown

Radiant Capital launched in 2022 as a cross-chain lending protocol, meaning it let users borrow and lend assets across different blockchains instead of staying trapped on one network. For a while, the pitch worked. In December 2023, total value locked, or TVL — the amount of crypto deposited in a protocol’s smart contracts — hit $386.8 million. That was real momentum, not just vaporware and token-pumping theater.

Then came the hack in 2024. After the exploit, TVL reportedly fell to around $75 million, then dropped to about $5 million within weeks. That’s not a correction. That’s a collapse. Once trust evaporates in DeFi, liquidity tends to follow it straight out the door.

The shutdown is also a reminder that a protocol can have a solid idea and still get wrecked by weak operational security. Smart contracts matter, sure. But so do people, permissions, signers, vendors, and the boring stuff most teams would rather ignore until the day everything catches fire.

How the Radiant Capital hack happened

The attack was a nasty mix of social engineering and access abuse. In December 2024, Radiant said the attacker posed as a former contractor and distributed a malicious ZIP file through Telegram. That kind of move works because crypto teams, like any team, rely on trust and fast-moving communication. Hackers know that the easiest way into a system is often through a human being who is busy, rushed, or just one careless click away from disaster.

Mandiant later linked the breach to the AppleJeus group, which it says is part of North Korea’s cyber ecosystem. According to Mandiant, the attackers compromised 3 of Radiant’s 11 multisig signer permissions. A multisig signer is one of the people or keys needed to approve important protocol actions. Multisig is meant to add security by requiring multiple approvals, but it is not a magic shield. If enough signers are compromised, the protection turns into expensive window dressing.

The attackers reportedly replaced the lending pool’s implementation contract and stole about $53 million from the Arbitrum and BNB Chain deployments. The implementation contract is the logic layer behind the protocol — the part that tells the system how to behave. Swap that out, and you are no longer nudging the system. You are steering it.

That attack path matters because it shows how DeFi can fail in places that don’t show up on a glossy dashboard. People often focus on smart contract audits and ignore the broader operational attack surface. Bad move. The real world is messy, and state-backed hackers do not care how elegant your tokenomics are.

Why recovery failed

Radiant DAO said the wind-down followed failed recovery attempts and a cold financial reality: the protocol could not remain sustainable without recovered funds, new investment, or renewed growth. The frontend will remain online, and the smart contracts will still be accessible, but active development is over. Any assets recovered in the future are expected to be returned to affected users.

That “maintenance state” is a lifeline, not a relaunch. It means the protocol is being left open so users can unwind positions and move assets, but there’s no meaningful future roadmap. No big comeback arc. No fresh expansion story. Just controlled shutdown and cleanup.

Radiant’s RDNT token dropped 4.2% after the closure announcement, which is hardly surprising. When a project admits it can’t grow and is basically entering end-of-life mode, token holders tend to notice pretty quickly. Markets, for all their chaos, do have one useful habit: they usually smell a dead protocol before the marketing team does.

The laundering trail and the Tornado Cash problem

Tracing the stolen funds has been its own grim side plot. CertiK reported in October 2025 that attacker wallets moved 2,834 ETH into Tornado Cash, the crypto mixer used to obscure where funds came from and where they go. CertiK estimated that approximately $10.8 million worth of Ethereum had already been laundered through the mixer.

This is where the privacy-versus-abuse debate gets ugly. Privacy tools have legitimate uses, and there is a real argument for financial privacy in a surveillance-heavy world. But when North Korea-linked hackers are using mixers to wash stolen crypto, the optics are bad for everyone and the victims get stuck holding the bag. Tornado Cash is not the only tool in that category, but it has become the poster child for the uncomfortable fact that freedom tech can be abused as easily as it can protect.

Drift Protocol later said it had medium-high confidence that the same actors were behind a separate exploit against its platform. That points to something broader than a one-off smash-and-grab. North Korea-linked crypto theft has become a repeatable business model: social engineering, fake identities, malicious attachments, compromised permissions, and laundering through multiple wallets and mixers. It’s industrialized theft, plain and simple.

What Radiant Capital’s collapse says about DeFi security

Radiant Capital’s downfall is a reminder that DeFi security is not just a smart contract problem. It is a people problem, a process problem, and a governance problem. Protocols can have strong code and still die if signer controls are weak, contributors are tricked, or operational discipline goes missing. That’s the uncomfortable truth nobody wants to put on a banner.

Cross-chain lending adds even more complexity. By operating across networks like Arbitrum and BNB Chain, protocols expand their reach, but they also expand their attack surface. More chains, more bridges, more permissions, more places for attackers to probe. Innovation is great, but complexity has a habit of collecting interest.

For users, the important point is simple: assets are still withdrawable, loans can still be repaid, and existing positions can still be managed. For the broader market, the lesson is harsher. DeFi can be powerful, but the moment trust in a protocol’s controls breaks down, the whole thing can unravel fast. Code is law until somebody gets hold of the keys.

Radiant had real traction in 2023. It also had enough fragility underneath to be crushed by a coordinated, state-linked attack. That is not a reason to abandon decentralized finance. It is a reason to stop pretending security theater is enough.

• Why is Radiant Capital shutting down?
  It could not recover from the $50 million exploit or secure enough funding and growth to continue sustainably.
• Can users still access funds?
  Yes. The protocol will remain online in maintenance mode so users can withdraw assets, repay loans, and manage positions.
• Who was blamed for the hack?
  Investigators linked the attack to North Korea-aligned actors, specifically the AppleJeus group.
• How did the attackers get in?
  Through social engineering, including a fake former contractor, a malicious ZIP file on Telegram, and compromised multisig permissions.
• What does this mean for DeFi security?
  It shows that operational security, signer controls, and human processes can be just as important as the smart contracts themselves.
• Why does Tornado Cash matter here?
  Because part of the stolen ETH was laundered through the mixer, highlighting the ugly overlap between privacy tools and criminal finance.
• Is this the end of DeFi lending?
  No, but it is a sharp warning that weak governance and sloppy security can kill even well-known protocols.