Real-capital social-engineering persona

A dev identity & insider risk factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This factor flags when a "team contributor" or "external integrator" persona has deposited one million dollars or more of attributed real capital into the target protocol or peer protocols, where the deposits are assessed by the curator as credibility-building prior to a social-engineering attack rather than genuine investment activity. Measurement is manual OSINT combined with on-chain capital flow analysis: the curator identifies the contributor, maps their deposit history across protocols, and assesses whether the capital deployment pattern is consistent with investment behavior or with pre-attack credibility building. Category 7 context: real-capital persona construction is a sophisticated DPRK tactic documented first in the Drift Protocol incident.

**Why it matters** The Drift Protocol incident (April 2026, $285M) established this attack pattern: UNC4736 (DPRK-attributed) built a six-month conference and in-person engagement history with the Drift team, deploying more than $1M in real capital across protocol interactions to establish credibility as a genuine integrator before gaining access to enable the pre-signing exploit. This represents a qualitative escalation from the classic IT-worker infiltration playbook — real capital is used as a trust-building instrument. The signal is P1 (not P0) because attribution requires curator confidence beyond on-chain evidence alone; false positives occur when genuine large depositors also have team engagement roles.

**Green / Yellow / Red** Green is scored when no contributor or integrator persona has a capital deployment pattern assessed as credibility-building by the curator. Yellow applies when a contributor or integrator has made large deposits but the pattern is consistent with genuine investment and no other risk indicators are present. Red is scored when curator assessment confirms a persona with $1M+ deposits whose capital deployment timeline, combined with their subsequent access or influence pattern, is consistent with social-engineering credibility construction.

**Common gray cases** Gray is assigned when large-depositor identity cannot be confirmed through OSINT, or when the curator cannot distinguish investment behavior from credibility-building behavior within the evidence budget — which is the norm for most protocols.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a curator-flagged "team contributor" or "external integrator" persona has ≥$1M of attributed real-capital deposits to the target protocol or peer protocols, potentially used to build credibility ahead of a social-engineering attack.

Data & output #

Data source

OSINT (social profile + on-chain capital flow tracing) + Chainalysis/TRM for attribution + curator review of deposit addresses

Output format

Green / Yellow / Red

Evidence artifact

Persona description + deposit address(es) + capital-flow trace + evidence URL + curator sign-off

Confidence signal

green = no such persona flagged; yellow = suspicious pattern noted but attribution below confidence threshold; red = curator-confirmed social-engineering persona with ≥$1M real-capital credentialing; gray = persona identification requires cross-source verification not yet completed

Scored protocols 80 carry this factor #

Protocol RD-F-184

Aave v3 ethereum gray Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum gray Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum gray BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum gray Circle USYC binance gray Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum green deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx gray EigenLayer ethereum gray Ethena ethereum gray ether.fi ethereum gray Euler V2 ethereum gray Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum gray Hyperliquid arbitrum green Jito solana green Jupiter solana gray Jupiter Perpetual Exchange solana gray JustLend DAO tron green Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum gray Lista DAO bsc green Lombard Finance ethereum gray M^0 ethereum gray Maple Finance ethereum gray Marinade Finance solana gray Meteora solana gray mETH Protocol ethereum gray Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana gray PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon gray Raydium solana green Rocket Pool ethereum gray Sanctum solana gray Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum gray Spiko stellar gray Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum gray Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_assessed USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum gray

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-184 category 7 carried 80 critical no