★ Deployer linked within 3 hops to DPRK/Lazarus
Raydium's assessment for RD-F-125 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL — YELLOW, medium confidence] No confirmed link found between Raydium protocol deployer, Squads multisig upgrade authority, or any named team member and the DPRK / Lazarus cluster within 3 hops. Search queries for 'Raydium DPRK Lazarus North Korea' return results about Drift Protocol April 2026 DPRK hack (Raydium pool used as execution venue by attacker — adversarial use, not team proximity) and general Solana ecosystem DPRK IT worker reports that do not name Raydium. GitHub commit timezone analysis consistent with Asia-based team; no DPRK holiday-gap pattern detected. Yellow (not green) because: (1) full 3-hop on-chain analysis of Squads multisig signer addresses is not possible without Chainalysis/TRM subscription; (2) signer identities not publicly disclosed. RD-F-125 is NOT red — no DPRK escalation.
Sources #
- URLNorth Korean Hackers Attack Drift Protocol In USD 285 Million Heist | TRMTRM Labs — Drift DPRK hack; Raydium used as execution venue, not team proximityretrieved 2026-04-29
- North Korean IT Workers Infiltrated European Solana-Based Projects: Google | DecryptDecrypt — North Korean IT workers infiltrated European Solana projects; Raydium not namedretrieved 2026-04-29
- Lessons from the Drift Hack | ChainalysisChainalysis — Drift lessons; no Raydium team DPRK linkretrieved 2026-04-29
- raydium-amm commit timezone analysisraydium-amm GitHub commit API — timezone analysis, no DPRK patternretrieved 2026-04-29
Methodology #
Determine whether the deployer address has an on-chain path of ≤3 hops to a Chainalysis/OFAC DPRK-labeled cluster address.
See the full factor methodology and distribution across all protocols →