Known-threat-actor cluster has touched protocol

Evidence summary #

Lazarus Group / TraderTraitor (DPRK-attributed) deposited stolen rsETH into Compound V3 cWETHv3 on Apr 18 2026, borrowing ~$39M WETH. Attribution: LayerZero + Coindesk (>=2 sources, HIGH confidence). Within 30-day window. Tier-C advisory, does not flip grade. Attacker-as-user pattern, not developer/deployer DPRK linkage.

Detail #

Lazarus Group (TraderTraitor variant, DPRK-attributed; same cluster as Bybit $1.4B Feb 2025 exploit) interacted with Compound V3 cWETHv3 core contracts on April 18, 2026. The attacker deposited 116,500 stolen rsETH as collateral and borrowed approximately $39M WETH, then withdrew to attacker-controlled addresses. Attribution: LayerZero public statement (TheBlock 2026-04-20): 'Preliminary indicators suggest attribution to a highly-sophisticated state actor, likely DPRK's Lazarus Group, more specifically TraderTraitor.' Independent confirmation: Coindesk 2026-04-20, Bleepingcomputer 2026-04-21. Interaction type: state-changing (supply rsETH, borrow WETH). Amount: ~$39M (far exceeds $100k threshold). Within 30-day window as of 2026-04-27 (9 days elapsed). This is ATTACKER-AS-USER interaction — funds flowed FROM Lazarus INTO the protocol as collateral. This does NOT constitute developer or deployer DPRK linkage (RD-F-125 remains green under Cat 7). Per T-09 §6.2 RD-F-158: tier-C advisory, never flips grade.

Sources #

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →