Known-threat-actor cluster has touched protocol
Chainlink CCIP's assessment for RD-F-158 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
T-09 v1 production signal (Tier C advisory; phase 2 infra required). Highly applicable — CCIP is the highest-value bridge target in DeFi post-LayerZero migration (~$9.57B total TVS). Lazarus/DPRK actors are actively targeting bridge infrastructure. U4 note: KelpDAO exploit proceeds (April 2026) were laundered via various channels but CCIP was a migration DESTINATION not a laundering route — this is adversarial-venue-use of LayerZero (not CCIP), not F158 for CCIP. No confirmed Lazarus/DPRK wallet interaction with CCIP core contracts via public OSINT. CTI feed (Chainalysis/TRM) required for definitive assessment — 'no public evidence' is not 'no interaction' for this high-profile target.
Sources #
- InternalU4 protocol context — adversarial venue use distinctionProtocol context U4 — DPRK adversarial-venue-use of LayerZero (not CCIP) in KelpDAO exploit; CCIP was migration destination not exploit vectorretrieved 2026-05-16
- 2025 Crypto Theft Reaches $3.4 Billion — ChainalysisChainalysis 2025 Crypto Theft Report — DPRK stole $2B+ in 2025; bridge infrastructure primary target classretrieved 2026-05-16
- Chainlink CCIP gains over $2.5B TVLThe Block: CCIP gains $2.5B+ TVL — CCIP is now the highest-value bridge target post-LayerZero migrationretrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →