Radiant Capital is shutting down. On June 1, 2026, the protocol’s DAO announced an orderly wind-down of operations after 18 months of failed recovery efforts following its devastating October 2024 exploit. The reason is simple and brutal: no funds were recovered, no new capital arrived, and without either, the protocol could not remain sustainable. The cross-chain lending platform that once held $386.8 million in total value locked now sits at $2.21 million. Its RDNT token, which peaked at $0.58 in September 2022, trades at $0.0015. Its market cap is $1.96 million, ranked #2356 globally.
The October 2024 attack was not a smart contract bug or a flash loan exploit. It was a nation-state operation. Cybersecurity firm Mandiant attributed the hack to AppleJeus, a campaign run by North Korea’s Lazarus Group, the same state-sponsored hacking unit responsible for hundreds of millions of dollars in crypto theft globally. The attackers spent weeks building trust, delivered malware through a Telegram message disguised as a legitimate contractor request, compromised developer hardware wallets, and used that access during a multisig signing process to seize control of the protocol’s Pool Provider contract. By the time anyone noticed, $50 million was gone.
Official Radiant Capital Resources
If you have funds on Radiant: withdraw immediately. Smart contracts and front-end remain live through end of 2026.
How North Korea Took Down a $386M Protocol
The attack began not with code but with a conversation. Five weeks before the October 16, 2024 exploit, an individual posing as a former Radiant contractor reached out to contributors on Telegram with what appeared to be a legitimate request for feedback. The message included a malicious ZIP file. When a developer opened it, INLETDRIFT, a macOS-targeting backdoor, silently installed itself on their hardware. Then it waited.
On October 16, during a routine multisig transaction signing process where multiple developers authorize protocol changes together, the malware activated. It manipulated what each developer saw on their hardware wallet screen, showing legitimate transaction data while the actual transaction being signed was something entirely different. The attackers had seized control of Radiant’s Pool Provider contract. The $50 million drain followed immediately, hitting the protocol’s Arbitrum and BNB Chain deployments. By the time the team understood what had happened, the funds were already moving through mixers.
Mandiant’s subsequent investigation attributed the attack to AppleJeus, a campaign run under North Korea’s Lazarus Group. The same tactics, building trust through fake professional contacts at conferences, deploying malware through seemingly legitimate documents, then using that access during signing ceremonies, later surfaced in an April 2026 attack on Drift Protocol. The Lazarus Group’s crypto theft operations are not opportunistic. They are systematic, patient, and replicated across multiple targets.
Radiant Capital: From Launch to Shutdown
2022 to June 2026 | @cryptonewsbytes
2022
Launch: cross-chain lending hub on Arbitrum and BNB Chain
RDNT peaks at $0.58. Protocol gains traction as one of the few genuine cross-chain lending solutions with unified liquidity.
December 2023
Peak TVL: $386.8 million. Daily fees exceed $100,000.
Radiant at its height. Strong user activity, multiple chain deployments, growing developer ecosystem.
January 2024
First blow: flash loan attack drains ~1,900 ETH
DAO uses treasury funds to cover communal bad debt. Operating reserves significantly reduced. TVL begins declining toward $200M.
October 16, 2024: Lazarus Group exploit
$50M drained via hardware wallet compromise and Pool Provider takeover
Malware planted via Telegram 5 weeks earlier. Attackers manipulate multisig signing process. $50M exits to Arbitrum and BNB Chain. Stolen funds route through Tornado Cash. TVL drops to $75M immediately, then $5M within a month.
Oct 2024 – May 2026
18 months: zero funds recovered, zero new capital raised
DAO works with zeroShadow and Mandiant. Attempted depositor recapitalization frameworks. February 2026 roadmap proposes dual-architecture rebuild on Aave and Morpho contracts. No traction. OKX delists Jan 2025, Crypto.com removes Jul 2025, Binance halts trading Apr 2026.
June 1, 2026: Wind-down announced
DAO begins orderly shutdown. TVL $2.21M. RDNT $0.0015.
Borrowing disabled across all markets. RDNT emissions ended. Treasury restricted to user support and recovery. Website stays live through end of 2026. Smart contracts remain accessible. RDNT falls 4.2% on announcement.
Sources: The Defiant, BeInCrypto, CryptoTimes, Crypto.news, Mandiant, DeFiLlama | @cryptonewsbytes
The TVL Collapse: $386M to $2.21M in 18 Months
Radiant’s TVL did not fall gradually after the exploit. It collapsed in stages that each tell a specific story about user trust, exchange support, and institutional confidence. The protocol held $386.8 million in December 2023, making it one of the larger cross-chain lending platforms in DeFi. The January 2024 flash loan attack, which drained around 1,900 ETH, was the first crack. The DAO absorbed it using treasury reserves, but those reserves were the buffer that would later prove insufficient.
The October 2024 exploit, 13 times larger than the first, was unsurvivable. TVL dropped from around $75 million immediately after the attack to approximately $5 million within a month as users rushed for the exits. Every exchange delisting that followed, OKX in January 2025, Crypto.com in July 2025, Binance halting spot trading in April 2026, was another stage of the collapse. When Binance ended withdrawal support for RDNT on June 1, the same day as the wind-down announcement, it eliminated the last major centralized exchange venue. Residual RDNT balances on Binance are being converted to stablecoins automatically.
Radiant Capital TVL: Peak to Near-Zero
Dec 2023 – Jun 2026 | Source: DeFiLlama | @cryptonewsbytes
99.4% TVL destruction from peak to wind-down. Source: DeFiLlama, AMBCrypto, The Defiant | @cryptonewsbytes
What Happens to Users Now
Radiant is emphatic that this is an orderly wind-down, not a collapse. Smart contracts remain accessible on-chain. Users retain full control of their assets and positions. Withdrawals, loan repayments, collateral management, vesting rewards, and DLP unlock and withdrawal are all still available. The protocol’s website and front-end will remain live through the end of 2026. The DAO has reduced borrow caps to zero across all Core and RIZv1 markets, meaning no new loans can be opened, but existing positions can be managed and closed.
Compensation through on-chain claim contracts remains active for users affected by the exploit. Recovery efforts have not stopped. The DAO is still working with zeroShadow on forensic tracking and asset tracing, though 18 months of work has produced no recovered funds. A small group of contributors will remain to manage user support, maintain claims infrastructure, and coordinate with recovery partners. RDNT token emissions have ended, and treasury spending is now restricted to these essential functions.
Users who lost funds in the exploit have made their frustration visible. In response to the wind-down announcement on X, user Ivan Mocharnyk asked directly: “What about my $6,000 I lost in the hack?” Others questioned whether compensation claims would remain valid as the protocol entered maintenance mode. The DAO’s answer is that claim contracts remain active on-chain indefinitely. Whether the funds those contracts represent ever materialize depends entirely on whether any of the $50 million stolen by the Lazarus Group is ever traced and recovered, which currently looks unlikely.
The DeFi Pattern Nobody Wants to Talk About
Radiant is not unique. The trajectory from exploit to wind-down follows a pattern that has now repeated across multiple DeFi protocols. Uranium Finance never regained liquidity after losing $57 million in a 2021 flash loan attack and faded into inactivity. Step Finance shut down in 2026 after a $27 to $40 million treasury drain. In each case, the technical recovery from an exploit, patching the code, understanding what happened, improving governance, happened relatively quickly. The economic recovery, restoring user confidence, rebuilding TVL, attracting new capital, never did.
The Radiant case adds a dimension that makes it more instructive than most. This was not a code vulnerability. There was no bug in the smart contracts. The attackers defeated the human layer: the developers themselves. Social engineering, hardware wallet manipulation, fake professional relationships cultivated over months, these are not threats that a security audit addresses. They are threats that require operational security protocols for every team member handling protocol governance, including hardware wallet verification procedures that make multisig manipulation detectable even when the signer’s screen has been compromised.
The fact that the same attack pattern resurfaced at Drift Protocol in April 2026, with investigators concluding the same actors built trust through conferences and professional contacts before deploying tools, means this is not a solved problem. The Lazarus Group is iterating faster than the defensive playbooks being written in response.
DeFi Protocols That Never Recovered: Comparison
Recovery outcome after major exploits | @cryptonewsbytes
| Protocol | Lost | Attack type | Outcome |
|---|---|---|---|
| Radiant Capital | $50M | Lazarus Group / social engineering | Wind-down Jun 2026 |
| Uranium Finance | $57M | Flash loan | Faded inactive 2021 |
| Step Finance | $27-40M | Treasury drain | Shutdown 2026 |
| Drift Protocol | TBC | Same Lazarus actors (Apr 2026) | Still operating |
Sources: AMBCrypto, BeInCrypto, Crypto.news, CoinInsider | @cryptonewsbytes
The Lazarus Group: $6 Billion in Crypto Theft and Counting
Radiant Capital is one entry on a long and growing list. North Korea’s Lazarus Group, also known as APT38 and BlueNorOff, is a state-sponsored hacking collective under the Reconnaissance General Bureau. Chainalysis estimates cumulative DPRK-linked crypto theft exceeds $6 to $6.75 billion. The stolen funds are widely believed to fund North Korea’s weapons and nuclear programs, making crypto theft a national revenue source, not a criminal side operation. In 2025 alone, North Korean actors stole more than $2 billion. The February 2025 Bybit hack, a $1.5 billion supply-chain attack on Safe’s multisig interface, is the largest single crypto theft in history.
The tactical evolution is what makes the Lazarus Group uniquely dangerous. Early attacks relied on basic phishing. By 2022 the group had graduated to validator social engineering, compromising the Ronin bridge through fake job offers. By 2024 and 2025, the operations became long-form infiltrations: months of building real professional relationships with target employees, attending crypto conferences in person, depositing large sums to establish credibility, then deploying malware through what appeared to be legitimate documents. The Radiant attack compressed this to a Telegram message. The Drift Protocol attack in April 2026 involved in-person conference meetings sustained over months before the exploit executed.
Lazarus Group: Major Crypto Exploits Timeline
Selected incidents attributed to DPRK-linked actors | Sources: Chainalysis, Mandiant, Arkham | @cryptonewsbytes
Bar length proportional to loss amount relative to Bybit $1.5B (100%). Cumulative DPRK-linked crypto theft: $6-6.75B. Sources: Chainalysis, Mandiant, Arkham, Hacken | @cryptonewsbytes
The recovery rate across all of these incidents is close to zero. The Ronin hack produced some law enforcement action but minimal asset recovery. Harmony’s $100 million is largely unrecovered. The Lazarus Group routes stolen funds through mixers, cross-chain bridges including THORChain, and privacy tools before cashing out through intermediaries. The speed and sophistication of the laundering, often beginning within hours of the exploit, makes tracing increasingly difficult. zeroShadow’s 18 months of forensic work on the Radiant case, alongside Mandiant, U.S. law enforcement, and Hypernative, produced no meaningful recovery. That outcome is not exceptional. It is the norm for Lazarus Group attacks.
Frequently Asked Questions
Can I still withdraw my funds from Radiant Capital?
Yes. Radiant’s smart contracts remain accessible on-chain and users retain full control of their assets. Withdrawals, loan repayments, collateral management, reward vesting, and DLP operations are all still available. The website and front-end will remain live through the end of 2026. No new borrowing positions can be opened as borrow caps have been reduced to zero, but existing positions can be managed and closed. The DAO has specifically urged users to actively manage their risk and prioritize capital withdrawal.
Who was behind the Radiant Capital hack?
Cybersecurity firm Mandiant attributed the October 2024 hack to AppleJeus, a campaign associated with North Korea’s Lazarus Group. The attackers used social engineering, posing as a former Radiant contractor on Telegram to deliver a malicious ZIP file containing INLETDRIFT, a macOS backdoor. The malware waited five weeks before activating during a multisig signing session, manipulating what hardware wallet screens displayed to signers while the actual transaction being authorized was different. Stolen funds were routed through Tornado Cash, making tracing and recovery significantly harder. The same attack pattern was identified in an April 2026 exploit against Drift Protocol.
What is the broader lesson for DeFi security?
The Radiant Capital case demonstrates that smart contract audits do not protect against human-layer attacks. The exploit required no code vulnerability. Attackers compromised the developers themselves through social engineering, then used that access to manipulate a hardware wallet signing process. DeFi protocols handling significant TVL need operational security standards that go beyond code review: multisig procedures that independently verify what is actually being signed, contributor device hygiene and monitoring, and formal protocols for any unsolicited file or link received via any channel. The Lazarus Group’s iterative use of the same tactics across Radiant and Drift suggests these playbooks will be used again.
Further Reading
Protocol failures are not always malicious. Sui’s triple outage was a code bug. Radiant’s was a nation-state operation. Both cost users money and trust. The defense layers are completely different.
The same week Radiant winds down, Bitcoin is at $64K and DeFi TVL is under pressure across the board. The macro context for every DeFi protocol right now.
The regulatory framework being debated in Washington would require DeFi protocols to meet compliance standards. Radiant’s shutdown is Exhibit A for why those standards matter and how unregulated protocols can disappear overnight.
Nation-states using crypto offensively: Iran routing around sanctions via Bitcoin insurance. North Korea stealing $50M via hardware wallet compromise. Two sides of the same geopolitical crypto story.
Protocol reliability failures can be technical, like Sui’s v1.72 gas bug, or human, like Radiant’s multisig compromise. Both categories cost users money and trust.
The regulatory infrastructure being built for legitimate DeFi. Context for what a compliant, chartered crypto-native institution looks like compared to what Radiant was.
This article is for informational purposes only. Sources: Radiant DAO Medium post, @RDNTCapital on X, AMBCrypto, The Block, The Defiant, BeInCrypto, Crypto.news, CryptoTimes, Mandiant, DeFiLlama. Published June 4, 2026.
