Known-threat-actor cluster has touched protocol

PancakeSwap's assessment for RD-F-158 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CONFIRMED RED. DPRK/Lazarus Group wallets (TraderTraitor / UNC4736) directly transacted with PancakeSwap's BSC swap contracts as part of laundering $263 million of the $1.46B Bybit theft (February-March 2025). PancakeSwap was the single largest DEX laundering venue in the Bybit incident — larger than SushiSwap ($74M), Curve ($47M), and Uniswap ($39M). Confirmed by: TRM Labs, Allium.so forensic analysis, FBI IC3 PSA (2025-02-26), US Senate Banking Committee letter (2025-12-15). The laundering mechanism was DeFi aggregator routing through PancakeSwap swap contracts. This constitutes confirmed interaction by a ≥1 confirmed-exploit-attributed cluster with protocol core contracts. Attribution confidence: HIGH (4 independent sources including US government).

Sources #

URL
Warren Calls for Treasury/DOJ to Investigate Illicit Actors Exploiting DeFi — PancakeSwap cited as primary venueUS Senate Banking Committee letter Dec 2025retrieved 2026-04-28
URL
FBI IC3 PSA — North Korea Responsible for $1.5 Billion Bybit HackFBI IC3 PSA North Korea Bybitretrieved 2026-04-28
URL
Bybit Hack: How the Lazarus Group Exploited DeFi Protocols to Launder $400MAllium.so DeFi laundering analysisretrieved 2026-04-28
URL
The Bybit Hack: Following North Korea's Largest ExploitTRM Labs Bybit hack blogretrieved 2026-04-28

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol pancakeswap factor RD-F-158 score red collected_at 2026-04-28 19:10:57