Known-threat-actor cluster has touched protocol
Curve Finance's assessment for RD-F-158 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Tier-C advisory signal. No confirmed DPRK/Lazarus wallet interaction with Curve core contracts identified in public data at assessment date. Context: Curve pools are major DeFi liquidity venues used by all participants. Feb 2025 Bybit hack ($1.5B attributed to Lazarus) generated wallet clusters that interacted across major DeFi protocols; specific Curve core-contract interaction by those clusters is plausible but not confirmed in available public sources. Curve is a laundering venue by architectural design (permissionless, high-liquidity) — this is adversarial-venue-use, NOT team-DPRK linkage (analogous to PancakeSwap Bybit laundering distinction documented in process-learnings). Requires licensed Chainalysis/TRM feed for confirmation. No fire condition identified.
Sources #
- URLInside the KelpDAO Bridge Exploit — ChainalysisChainalysis KelpDAO bridge exploit April 2026 — Lazarus Group context; Curve not specifically implicated in core-contract interactionretrieved 2026-04-28
- T-09 Real-Time Signals §4.10 RD-F-158T-09 §4.10 RD-F-158 — tier-C advisory; attribution-sensitive; requires ≥2 independent sourcesretrieved 2026-04-28
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →