Known-threat-actor cluster has touched protocol
Aave v3's assessment for RD-F-158 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Lazarus Group (DPRK TraderTraitor) directly used Aave v3 as the drain venue in the April 18 Kelp DAO exploit. 89,567 fraudulent rsETH deposited into Aave v3 Ethereum Core Market; approximately $196-236M WETH, USDT, USDC borrowed. Attribution confirmed by: (1) LayerZero post-mortem April 20 2026 (primary — LayerZero Labs official attribution); (2) Chainalysis KelpDAO bridge exploit blog April 2026 (secondary); (3) multiple blockchain analytics firms. At April 27: attribution not walked back by any authoritative source. OFAC new address listings specific to April 18 wallets: not confirmed in public sources as of April 27 (existing Lazarus cluster addresses on OFAC SDN list, but specific wallets' SDN listing status unconfirmed). Bad debt ($123-$230M) remains unresolved — DeFi United at ~$160M of $200M target raised (CoinDesk April 26). Note: Aave is the victim venue, not a DPRK-controlled protocol — F158 fires because Lazarus *interacted with* the protocol, not because team/deployers are
Sources #
- URLCoinDesk: Aave raises ~80% of $200M needed to cover bad debt (April 26 2026)DeFi United recovery statusretrieved 2026-04-27
- Aave Governance: rsETH Incident Report April 20 2026rsETH Incident Report (Aave governance)retrieved 2026-04-27
- CoinDesk: LayerZero blames Kelp setup, attributes to DPRK LazarusLayerZero attribution statement (CoinDesk)retrieved 2026-04-27
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →