Known-threat-actor cluster has touched protocol
Jupiter Perpetual Exchange's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Known-threat-actor wallet cluster has touched protocol (T-09 v1 phase 2; advisory-only signal). DPRK-attributed wallets (UNC4736 cluster, attributed by Elliptic and TRM Labs at medium-high confidence) liquidated approximately 41.7 million JLP tokens (~$155.6M) from Drift's vaults on 2026-04-01. The JLP token redemption/liquidation path flows through Jupiter Perps pool mechanics (JLP pool account 5BUwFW4nRbftYTDMbgxykoFWqWHPzahFSNAaaaJtVKsq). This constitutes DPRK-attributed wallets interacting with Jupiter Perps protocol mechanics. Per U4: this is passive-venue interaction — JLP was the victim collateral held in Drift's vaults, not a Jupiter Perps exploit. The DPRK attack targeted Drift's Security Council, not Jupiter's team. Jupiter Perps was the liquidity venue, not the target. Interaction was 45 days before assessment (outside strict 30-day signal window) but within 90-day elevated-awareness horizon. Scored yellow, not red, because: (1) interaction was passive-venue; (2) no Jupiter
Sources #
- URLCCN — Drift Protocol $285M Exploit DetailsCCN — ~41.7M JLP tokens (~$155.6M) drained from Drift JLP Delta Neutral vault. Liquidation path uses Jupiter Perps pool mechanics.retrieved 2026-05-16
- TRM Labs — Drift DPRK AnalysisTRM Labs — North Korean hackers attack Drift Protocol in USD 285M heist. Confirms UNC4736 as the threat actor cluster.retrieved 2026-05-16
- Elliptic — Drift DPRK AttributionElliptic — Drift Protocol exploited for $286M in suspected DPRK-linked attack. UNC4736 attribution, JLP drained from Drift vaults.retrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →