Known-threat-actor cluster has touched protocol

Polymarket's assessment for RD-F-158 — scored not_assessed on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Applicable. Threshold: address from curator threat-actor cluster interacted with CTF Exchange contracts within last 30 days with ≥1 confirmed exploit attribution. Current posture: no confirmed DPRK/Lazarus or known DeFi exploiter cluster interaction with Polymarket CTF contracts found in public sources. xorcat (Apr 2026) is a cybercrime forum actor performing API enumeration — not a known smart-contract exploit cluster. Requires Chainalysis or TRM Labs licensed feed for definitive assessment. v1-deferred.

Sources #

URL
Polymarket Breach: 300,000+ Records and Exploit Kit LeakedThe CyberSec Guru — xorcat 300K records claimretrieved 2026-04-29
URL
Polymarket DPRK search — no attribution foundWebSearch — DPRK Lazarus Polymarket targeting search (no results)retrieved 2026-04-29

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol polymarket factor RD-F-158 score not_assessed collected_at 2026-04-29 16:25:39