defirisk.co
rubric v1.7.0

Deployer linked within 3 hops to DPRK/Lazarus

A dev identity & insider risk factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Critical factor. A Red on this factor alone is sufficient to gate a protocol to grade D or F regardless of other category rollups.

Methodology how we score #

**What this measures** This factor determines whether the protocol's deployer address, or any address that funded or was funded by it, can be connected within three on-chain hops to a wallet cluster attributed to DPRK's Lazarus Group or affiliated threat actors, as maintained by Chainalysis, OFAC designations, or the curator's own cluster database. Measurement is programmatic using on-chain graph traversal against a continuously updated sanctions and attribution cluster feed. Category 7 context: nation-state developer implants are the highest-severity insider risk class; once a DPRK-linked developer holds admin keys, the timeline to drain is determined by strategic considerations rather than technical vulnerabilities.

**Why it matters** DPRK's Lazarus Group and affiliated units (UNC4736, TraderTraitor) have been responsible for the largest sustained wave of cryptocurrency theft in history. The attack pattern involves embedding developers with falsified credentials into protocol teams, building operational credibility over weeks to months, then executing a coordinated drain using pre-positioned signing authority. Orbit Bridge ($81.5M), Munchables ($62.5M), and Radiant Capital II ($53M) all show confirmed or highly-probable DPRK attribution in the database. LNDFi confirms the pattern extends to smaller protocols. The Drift Protocol incident ($285M, April 2026) demonstrates that nation-state actors now operate at scale across Solana and non-EVM chains.

**Green / Yellow / Red** Green is scored when on-chain graph analysis confirms no path within three hops from the deployer to any DPRK-attributed cluster address in the current feed. Yellow applies when a three-hop path exists to a cluster with low-confidence attribution (suspected but not OFAC-designated or Chainalysis-confirmed). Red is scored when a confirmed path of three hops or fewer connects the deployer to a high-confidence DPRK-attributed cluster, triggering the critical flag regardless of other scores.

**Common gray cases** Gray is assigned when the cluster feed is stale (not refreshed within 30 days), when the protocol operates on a chain where attribution data coverage is materially incomplete, or when intermediate wallets show high-risk patterns but attribution confidence falls below the threshold.

**Notable historical examples** - **Orbit Bridge** ($81.5M, 2023): Deployer linked to DPRK cluster; largest attributable nation-state bridge exploit in database. - **Munchables** ($62.5M, 2024): DPRK IT worker employed as developer; funds returned under pressure. - **Radiant Capital II** ($53M, 2024): Suspected DPRK attribution; multisig key compromise across BSC and Arbitrum. - **LNDFi** ($1.18M, 2025): Pseudonymous team with DPRK IT worker involvement; confirms pattern extends below $10M protocols.

**★ Critical factor** A confirmed three-hop DPRK/Lazarus cluster link on the deployer address alone is sufficient to trigger an F grade under rubric v1.7.0; this represents an active nation-state threat actor with demonstrated capability and intent to execute full-drain exploits.

Measurement what to look for #

Determine whether the deployer address has an on-chain path of ≤3 hops to a Chainalysis/OFAC DPRK-labeled cluster address.

Data & output #

Data source
Chainalysis/TRM DPRK/Lazarus cluster labels + deployer address on-chain graph traversal
Output format
Green / Yellow / Red · critical gate active
Evidence artifact
Deployer address + hop-count + intermediary addresses + CTI feed report
Confidence signal
green = no path ≤3 hops to DPRK cluster; red = path ≤3 hops confirmed; gray = CTI feed unavailable

Scored protocols 80 carry this factor #

Protocol RD-F-125
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base green Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum green BENQI avalanche green BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum green Curve Finance ethereum green deBridge ethereum not_assessed Dolomite ethereum green dYdX v4 (dYdX Chain) dydx green EigenLayer ethereum green Ethena ethereum green ether.fi ethereum green Euler V2 ethereum green Falcon Finance ethereum gray Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana green Jupiter Perpetual Exchange solana green JustLend DAO tron yellow Kamino Lend solana green Kinetiq hyperliquid green Lido ethereum green Liquid Collective (LsETH) ethereum green Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana green Meteora solana yellow mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum green Orca solana green PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon green Raydium solana yellow Rocket Pool ethereum green Sanctum solana green Save (formerly Solend) solana green Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid green SUNSwap (sun.io) tron yellow Superstate ethereum green Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum green Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron yellow Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum green
0 red · 7 yellow · 68 green

Linked hacks 4 historical incidents #

causalLNDFi (LND.fi) — Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev)2025-05-09 · $1M · Admin Backdoor (Malicious Code Injection by Contractor / DPRK Dev) · ★ Deployer linked to DPRK cluster [via dashboard_risk_factors/Team anonymity: Pseudonymous; possible DPRK IT worker involvement] || ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
causalMunchables — Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy2024-03-26 · $63M · Malicious Insider — Storage Slot Manipulation via Upgradeable Proxy · ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
causalOrbit Bridge (by Ozys) — Compromised Multisig Signer Keys (via rogue former CISO)2023-12-31 · $82M · Compromised Multisig Signer Keys (via rogue former CISO) · ★ Deployer linked to DPRK cluster [via cross-hack: Factor 65: DPRK Developer Risk]
rubric_version v1.7.0 factor RD-F-125 category 7 carried 80 critical yes