Known-threat-actor cluster has touched protocol
crvUSD (Curve Stablecoin)'s assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Known-threat-actor wallet cluster has touched protocol. The UwU Lend attacker (June 10, 2024 $19.3M exploit) used crvUSD Borrower on Curve Lend to open a 8.12M crvUSD borrow against 23.6M CRV collateral at Block 20061322. This attacker's wallet is a post-exploit labeled threat-actor cluster member. Per task instructions: an attacker routing through a Curve/crvUSD pool is Cat 11 F158 yellow, NOT team contamination. No DPRK/Lazarus-attributed cluster has been confirmed as touching crvUSD contracts per public Chainalysis or OFAC reporting. No Bybit-class (Feb 2025, $1.5B DPRK) or Ronin-class DPRK attribution found for crvUSD interactions. Yellow: threat-actor touched protocol in 2024 (>12 months ago); requires curated TI feed to confirm whether same wallet interacted in the last 30 days. [T-09 v1 phase-2 signal]
Sources #
- URLSlowMist UwU Lend exploit analysisSlowMist UwU Lend analysis: attacker opened crvUSD borrow (8.12M crvUSD) against CRV collateral at Block 20061322 — threat-actor wallet touched crvUSD Borrower contractretrieved 2026-05-16
- LlamaRisk crvUSD depeg June 2024LlamaRisk incident report June 2024: illicit UwU funds opened borrow positions on Curve Lend — confirms threat-actor wallet used crvUSD marketsretrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →