Known-threat-actor cluster has touched protocol

Hyperlane's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Hyperlane Warp Routes are a permissionless cross-chain bridge — the same class of protocol used by Lazarus Group for laundering post-exploit (confirmed: LayerZero/Kelp DAO April 2026, $292M DPRK attribution). No confirmed threat-actor cluster touch on Hyperlane's specific contracts detected via public sources. Scoring is U4 PASSIVE-VENUE: bridges are common laundering routes — attacker bridging THROUGH Hyperlane is a passive venue risk, not team contamination. Yellow: elevated posture due to bridge-class being DPRK/Lazarus target class; no confirmed incident; T-09 phase-2 signal requiring Chainalysis/TRM live feed for confirmation.

Sources #

Docs
Hyperlane ISM OverviewHyperlane permissionless ISM architecture — no whitelist on Warp Route usage; any wallet including threat-actor wallets can bridgeretrieved 2026-05-17
URL
Kelp DAO DPRK AttributionLayerZero/Kelp DAO DPRK attribution — Lazarus Group targeted LayerZero DVN in April 2026 $292M exploit; demonstrates DPRK interest in bridge-class protocolsretrieved 2026-05-17

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-158 score yellow collected_at 2026-05-16 23:03:56