Known-threat-actor cluster has touched protocol
Meteora's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Cat 11 threat intelligence signal (T-09 v1 phase-2 advisory). Kelsier-linked wallets (civil litigation defendants in Hurlock v. Kelsier SDNY Case No. 1:25-cv-03891-JLR) actively used Meteora DBC and Alpha Vault infrastructure for the alleged M3M3 (Oct 2024) and LIBRA (Feb 2025) token manipulation schemes. These wallets are confirmed as having interacted with Meteora core programs as part of an alleged coordinated fraud scheme. Classification note: these are civil-litigation-attributed wallets, not OFAC-sanctioned addresses or Chainalysis-verified DPRK/Lazarus cluster addresses. The amended complaint (July 2025) expands allegations to potentially 15 cryptocurrencies. No confirmed OFAC-sanctioned or DPRK-cluster wallet interaction with Meteora core contracts within 30 days as of 2026-05-16 (M3M3/LIBRA events are outside the 30-day window). Protocol infrastructure (DBC/Alpha Vault) remains permissionless, creating ongoing exposure to future bad-actor use.
Sources #
- URLClass-action targets Meteora and Kelsier execs over $69m M3M3 token crashCrypto.news LIBRA/M3M3 class action: Kelsier-controlled wallets used Meteora infrastructure for alleged token manipulation; $57M+ extracted from LIBRA poolsretrieved 2026-05-16
- M3M3 and LIBRA Token Lawsuit: Hurlock v. KelsierBurwick Law: Hurlock v. Kelsier, SDNY Case No. 1:25-cv-03891-JLR, filed 2025-04-19, amended 2025-07-29. Defendants include Kelsier Labs LLC, Hayden Mark Davis, Benjamin Chow, and Meteora. RICO, common law fraud, NY GBL claims.retrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →