defirisk.co
rubric v1.7.0

Known-threat-actor cluster has touched protocol

Balancer (v2 + v3)'s assessment for RD-F-158 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Known-threat-actor wallet cluster has touched protocol [T-09 v1] | Applicable: Yes | November 2025 exploiter cluster: primary wallet 0x86fedad11c4765700934639f1efe1fc01355c982, intermediary 0x766a892f8ba102556c8537d02fca0ff4cacfc492, exploit deployer on Arbitrum 0x506d1f9efe24f0d47853adca907eb8d89ae03207, proceeds consolidator 0x872757006b6f2fd65244c0a2a5fdd1f70a7780f4. These are the highest-salience Balancer-specific threat-actor wallets. As of the 30-day assessment window (approx. April 5 – May 5, 2026), no confirmed interaction of these wallets with remaining Balancer contracts. Last confirmed exploiter activity: Nov 15, 2025 (2,000 ETH moved to Tornado Cash). No DPRK/Lazarus attribution confirmed in available public CTI (Halborn, Trail of Bits, Certora, Check Point post-mortems). General ecosystem context: Lazarus executed Drift ($285M, Apr 1 2026) and Kelp DAO ($292M, Apr 18 2026) exploits within 90-day window prior to assessment — elevated nation-state DeFi threat environment. |

Sources #

  • URL
    https://www.halborn.com/blog/post/explained-the-balancer-hack-november-2025retrieved 2026-05-05
  • URL
    https://research.blockscope.co/balancer-exploitretrieved 2026-05-05

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol balancer factor RD-F-158 score green collected_at 2026-05-05 12:41:36