Mixer withdrawal → protocol interaction
Compound V3 (Comet)'s assessment for RD-F-090 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Lazarus Group (TC-attributed DPRK cluster) deposited stolen rsETH into Compound V3 cWETHv3 on Apr 18 2026, borrowing ~$39M WETH. State-changing interaction >$100k. Attribution: LayerZero + Coindesk (>=2 sources). Within 30-day window. Tier-C advisory, does not flip grade.
Detail #
Lazarus Group / TraderTraitor (same cluster as Bybit $1.4B 2025 exploit) interacted with Compound V3 cWETHv3 core contracts on April 18, 2026, depositing 116,500 stolen rsETH as collateral and borrowing approximately $39M WETH. Attribution: LayerZero issued a public statement citing 'likely DPRK's Lazarus Group, more specifically TraderTraitor' (TheBlock 2026-04-20). Coindesk 2026-04-20 and Bleepingcomputer 2026-04-21 provide independent confirmation (>=2 attribution sources). Interaction is state-changing (supply rsETH, borrow WETH) with value far exceeding $100k threshold. Mixer attribution is public (DPRK clusters use Tornado Cash for laundering by standard TI pattern); formal 3-hop TC withdrawal confirmation requires Chainalysis/TRM private feed. The signal fires at tier-C advisory — does not flip letter grade. 9 days remain in the 30-day window as of 2026-04-27.
Sources #
- URL
- LayerZero confirms Kelp DAO exploit attributed to DPRK Lazarus GroupTheBlock 2026-04-20: LayerZero statement attributing Kelp DAO exploit to Lazarus Group / TraderTraitorretrieved 2026-04-27
Methodology #
Detect whether a wallet that recently withdrew from Tornado Cash, Railgun, or similar mixer has interacted with this protocol.
See the full factor methodology and distribution across all protocols →