defirisk.co
rubric v1.7.0

Contributor paid to DPRK-cluster wallet

A dev identity & insider risk factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether protocol payments to any contributor's wallet — salary, bounty, or grant transactions from the protocol treasury or multisig — have an on-chain path within three hops to a known DPRK-attributed cluster address. This is distinct from RD-F-125 (which examines the deployer wallet) and focuses specifically on payroll-flow routing. Measurement is programmatic: on-chain graph traversal from treasury outflows to contributor wallets, then forward-tracing from those wallets to known DPRK cluster addresses. Category 7 context: payroll routing is the operational money-flow layer of DPRK IT worker infiltration; profits are laundered through a chain of intermediate wallets to DPRK-controlled cluster addresses.

**Why it matters** FBI, CISA, and blockchain analytics firms have documented that DPRK IT workers route earnings through a predictable layering chain: personal wallet → mixer or exchange → DPRK-controlled consolidation address. The on-chain path often becomes visible within three to six hops from the contributor wallet. Orbit Bridge, Munchables, Radiant Capital II, and LNDFi all show patterns where contributor wallet flows can be traced toward DPRK-attributed clusters. This factor is P1 (not P0★) because confirming the path requires active Chainalysis-feed access and curator interpretation; it is strong corroborating evidence for RD-F-125 but not independently critical.

**Green / Yellow / Red** Green is scored when on-chain analysis of contributor payment flows shows no path within three hops to DPRK-attributed cluster addresses. Yellow applies when a path exists to a cluster with medium-confidence attribution, or when an intermediate wallet shows high-risk patterns (mixer, OFAC-adjacent) without confirmed DPRK labeling. Red is scored when a confirmed three-hop path connects protocol treasury outflows through a contributor wallet to a high-confidence DPRK-attributed cluster address.

**Common gray cases** Gray is assigned when the protocol treasury operates via a DAO with diffuse on-chain disbursements that are impractical to trace per-contributor, or when the cluster feed lacks sufficient coverage of the relevant chain.

**Notable historical examples** - **Orbit Bridge** ($81.5M, 2023): Contributor payment routing to DPRK cluster confirmed in post-exploit attribution analysis. - **Munchables** ($62.5M, 2024): DPRK IT worker salary payments routed toward DPRK-attributed consolidation addresses. - **Radiant Capital II** ($53M, 2024): Suspected DPRK payroll routing identified in post-mortem blockchain analysis.

Measurement what to look for #

Determine whether protocol payments to any contributor wallet have an on-chain path ≤3 hops to a known DPRK-labeled cluster.

Data & output #

Data source
Chainalysis/TRM cluster feed (DPRK/Lazarus labels) + on-chain contributor payment addresses
Output format
Green / Yellow / Red
Evidence artifact
Payment tx hashes + hop-count to DPRK cluster + CTI feed report
Confidence signal
green = no contributor wallet within 3 hops of DPRK cluster; red = ≥1 contributor wallet within 3 hops; gray = CTI feed not available or contributor payment addresses unknown

Scored protocols 80 carry this factor #

Protocol RD-F-122
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base not_assessed Axelar Network ethereum green Babylon Protocol bitcoin not_assessed Balancer (v2 + v3) ethereum green Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum not_assessed Centrifuge ethereum green Chainlink CCIP ethereum not_assessed Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum not_assessed crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum green dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum not_assessed Ethena ethereum gray ether.fi ethereum gray Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana green JustLend DAO tron gray Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum not_assessed Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum not_assessed Maple Finance ethereum green Marinade Finance solana not_assessed Meteora solana gray mETH Protocol ethereum not_assessed Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon not_assessed Raydium solana green Rocket Pool ethereum gray Sanctum solana not_assessed Save (formerly Solend) solana not_assessed Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar gray Stake DAO ethereum gray StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_assessed SUNSwap (sun.io) tron not_assessed Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum not_assessed Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum gray
0 red · 3 yellow · 31 green

Linked hacks 9 historical incidents #

relatedLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
relatedRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
relatedMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
relatedOrbit Bridge (by Ozys) — Compromised Multisig Signer Keys (via rogue former CISO)2023-12-31 · $82M · Compromised Multisig Signer Keys (via rogue former CISO) · Contributor paid to wallet routing to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
relatedKannagi Finance — Insider rug — privileged admin withdrawal on behalf of users (MainChef address)2023-07-29 · $1M · Insider rug — privileged admin withdrawal on behalf of users (MainChef address) · Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
relatedKokomo Finance — Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits2023-03-26 · $4M · Insider rug — deployer upgraded implementation to malicious contract → drained WBTC deposits · Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
relatedBrincFi — Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade2021-12-14 · $1M · Insider backdoor — rescueTokens() admin drain via ownership transfer + malicious contract upgrade · Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
relatedSnowdog (SnowdogDAO) — Insider front-running — privileged challengeKey knowledge + custom AMM sniping2021-11-25 · $21M · Insider front-running — privileged challengeKey knowledge + custom AMM sniping · Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
relatedUranium Finance — Math bug — constant product formula check broken by inconsistent parameter change (1000→10000)2021-04-28 · $57M · Math bug — constant product formula check broken by inconsistent parameter change (1000→10000) · Contributor paid to wallet routing to known DPRK cluster [via cross-hack: Factor 34: Suspected Insider Involvement]
rubric_version v1.7.0 factor RD-F-122 category 7 carried 80 critical no