Radiant Capital hack threat actors

Threat actors assessed with medium-high confidence to be the same cluster responsible for the October 2024 Radiant Capital hack, which the provided content states was attributed to North Korea. The content links this cluster to the April 1 theft of approximately $285 million from Drift following a six-month social-engineering and intrusion campaign. According to the reporting cited, the actors posed as a legitimate quant trading firm, built trust through repeated in-person meetings and substantive working sessions, onboarded an ecosystem vault on Drift, submitted strategy details, and deposited more than $1 million of their own capital to establish a credible operational presence. Likely intrusion vectors mentioned in the content include a malicious GitHub repository and a fake TestFlight wallet application. The repository-based intrusion was described as similar to job-interview-themed malware delivery via shared code repositories and may have involved automatic background execution through VS Code/Cursor project hooks such as task.json, including use of a fake font containing obfuscated JavaScript. Post-incident behavior included immediate scrubbing of Telegram chats and malware artifacts, indicating organized operations and operational discipline. The content further states that individuals who met contributors in person were assessed not to be North Korean nationals and were likely third-party intermediaries used to build trust on behalf of the threat actors. No additional aliases or sub-groups are directly provided in the content.