Known-threat-actor cluster has touched protocol

A threat intelligence & recon factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when an address from a curator-maintained threat-actor cluster — comprising past exploiters, labeled attacker families, and sanctioned addresses — has interacted with the monitored protocol within the trailing 30 days. The threat-actor cluster is drawn from Chainalysis TRM labels, OFAC SDN list entries, curator-maintained attacker address lists derived from post-mortem analysis, and known DPRK/Lazarus wallet sets. Category 11 context: attacker-side reconnaissance precedes the majority of DeFi exploits; a known threat actor interacting with a protocol is the highest-confidence forward-looking threat intelligence signal available.

**Why it matters** The T-01 synthesis documents approximately eight in-sample hack precedents where known-threat-actor addresses were interacting with target protocols before the exploit. Radiant Capital II ($53M, 2024) included a failed exploit attempt six days before the successful attack — if the attacker address were labeled from the failed attempt, a second interaction would have triggered this signal. Post-mortem analysis consistently identifies attacker addresses that were active in earlier hacks — attacker address reuse across protocols is documented. The signal is P0 because a labeled threat actor probing a protocol is the most actionable pre-exploit intelligence available, regardless of the absence of on-chain vulnerability evidence.

**Green / Yellow / Red** Green is the baseline when no known-threat-actor cluster addresses have interacted with the protocol in the trailing 30 days per the current cluster feed. Yellow fires when a medium-confidence threat-actor address (curator-labeled but not OFAC-sanctioned) interacts with the protocol — elevated but potentially a coincidental interaction. Red fires when a high-confidence labeled threat-actor address (OFAC SDN, Chainalysis-confirmed exploiter, or prior DPRK-attributed address) interacts with the protocol within the trailing 30 days.

**Common gray cases** Gray applies when the cluster feed has not been updated within 30 days (stale data) or when the protocol operates on a chain where cluster coverage is materially incomplete, making the absence of hits unreliable as a green signal.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

Data & output #

Data source

Chainalysis/TRM threat-actor cluster feed + on-chain tx indexer for protocol contract interactions

Output format

Green / Yellow / Red

Evidence artifact

Flagged address + cluster label + interaction tx hash + timestamp

Confidence signal

green = signal not firing; red = known-threat-actor interaction detected in last 30 days; gray = CTI feed not configured

Scored protocols 80 carry this factor #

Protocol RD-F-158

Aave v3 ethereum red Across Protocol ethereum green Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance yellow Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum gray deBridge ethereum red Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana yellow JustLend DAO tron gray Kamino Lend solana yellow Kinetiq hyperliquid gray Lido ethereum not_assessed Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum gray Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum gray Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum gray Multipli ethereum green Ondo Finance ethereum gray OpenEden ethereum green Orca solana yellow PancakeSwap bsc red Pendle Finance ethereum green Polymarket polygon not_assessed QuickSwap polygon green Raydium solana yellow Rocket Pool ethereum green Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum gray Spiko stellar yellow Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron yellow Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum gray Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc yellow Wormhole ethereum yellow Yearn Finance ethereum yellow

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-158 category 11 carried 80 critical no