Avg attacker reconnaissance time for peer-class protocols

Axelar Network's assessment for RD-F-163 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Analytical field: for bridge protocols in the $100M–$500M TVL class, documented attacker reconnaissance periods range from days (Ronin — social engineering fast, exploit same day) to 6 months (Drift/UNC4736 — conference attendance, real capital deposits, durable-nonce pre-signing). USPD model: 78-day average. Axelar at $144M sits in the primary target band. No active reconnaissance wallets identified via public sources. Yellow: protocol is in the target class for Lazarus-style bridge attacks; structural recon risk is non-trivial given TVL level and bridge architecture (validator key management is the primary attack surface).

Sources #

URL
FBI — Lazarus Group Harmony Horizon BridgeFBI confirms Lazarus Group — Harmony Horizon Bridge theft; bridge targeting patternretrieved 2026-05-17
URL
TraderTraitor Deep Dive — Wiz BlogDrift Protocol $285M DPRK exploit (Apr 2026) — 6-month reconnaissance and social engineering before strikeretrieved 2026-05-17

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-163 score yellow collected_at 2026-05-16 21:57:49