DeFi security researcher implicated in $50M Radiant Capital hack

A prolific blockchain security researcher and smart contract hack investigator going by the name Nick L. Franklin is suspected of involvement in October’s $50 million hack on Radiant Capital, carried out by the notorious North Korean hacking collective Lazarus Group.

Fellow security researchers were alerted to suspicious behaviour by decentralized exchange 1inch’s Anton Bukov, and began digging into the messaging history of Franklin’s (now deleted) Telegram account.

Read more: Radiant Capital’s $50M crypto hack underlines DeFi’s multisig dependence

For well over a year, Franklin’s handle has been consistently active in crypto security-focused Telegram groups. In the wake of even small dollar-value hacks, he’s often quick off the mark in linking to root cause analyses of smart contract exploits, which are published on his X profile.

He claims to have “analyzed every major blockchain hack.”

After Bukov’s alert, in which he claims to have caught Franklin attempting to send a bug report in APP format, other crypto security professionals looked into Franklin’s past posts.

Metamask’s Taylor Monahan, who maintains a Github repository with details of addresses linked to countless Lazarus Group hacks, pointed to previous warnings about security researchers and their communities being targeted in particular.

She also highlighted repeated, increasingly frantic Telegram messages about Radiant Capital before the hack.

However, the big reveal came when working alongside ZeroShadow investigator tanuki42. An address Franklin used to request testnet tokens was matched to one of the addresses identified in Monahan’s repository as used in testing for the $50 million Radiant hack.

read more: North Korean hackers posing as devs exposed with ‘I Hate Kim Jong Un’ test

Franklin replied to Bukov’s initial post, explaining that his “Telegram and personal site was compromised,” before asking him to “delete this post asap.”

Franklin has so far failed to respond to various requests to publicly insult North Korea’s Supreme Leader Kim Jong-un, a tongue-in-cheek (though seemingly effective) screening method popular among the rightly suspicious crypto crowd.

Since the Radiant Capital attack, North Korean hackers have managed to use a similar attack vector to fleece $1.5 billion worth of ether from centralized exchange ByBit last month.

Towards the end of last year, suspicions were also aroused by activity on decentralized leverage trading platform Hyperliquid, as accounts using funds from the Radiant hack appeared to be testing for vulnerabilities.

Today’s revelations, however, came against the backdrop of Hyperliquid’s latest stress test, as another “whale” attempted to leave the platform’s hyperliquidity provider vault holding their bag.

Given that a similar tactic paid off to the tune of $1.8 million just two weeks ago, Hyperliquid validators decided to step in this time, manually overriding the price of the token in question.