Known-threat-actor cluster has touched protocol
Raydium's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Cat 11 threat intel signal [T-09 v1 phase 2]. DPRK/UNC4736-attributed wallets interacted with Raydium pools in March 2026 as part of the Drift Protocol attack infrastructure. Confirmed: attackers seeded CVT fake token on Raydium with minimal liquidity (~$500 initial seed) and conducted 3 weeks of wash trading across Raydium pools using a 423-wallet network. Interaction type: state change (pool creation, swap execution). The Drift hack executed April 1, 2026 — 28 days before this assessment (2026-04-29), within the 30-day look-back threshold. Attribution sources: Chainalysis blog (2026-04), TRM Labs (2026-04), Halborn (2026-04) — 3 independent sources with medium-high confidence. Tier-C advisory signal: does not flip letter grade, but confirmed threat-actor interaction within 30 days. Yellow (not red) because: (a) Raydium was used as venue, not targeted; (b) tier-C designation; (c) no threat actor interaction with Raydium core admin functions. Requires proprietary threat-actor cluster l
Sources #
- Partner feedNorth Korean Hackers Attack Drift Protocol — TRM LabsTRM Labs: North Korean hackers used Raydium as wash-trading venue; $285M Drift heist; medium-high attribution confidenceretrieved 2026-04-29
- Explained: The Drift Hack (April 2026) — HalbornHalborn: Drift hack April 2026 explanation; CVT seeded on Raydium; 423-wallet wash trading networkretrieved 2026-04-29
- The Drift Protocol Hack — Chainalysis BlogChainalysis: DPRK/UNC4736 wallets used Raydium pools for CVT wash trading in Drift hack preparation (March 2026)retrieved 2026-04-29
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →