Known-threat-actor cluster has touched protocol
Marinade Finance's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
T-09 phase-2 signal (Tier-C, advisory only). Lazarus/DPRK INCOGNITO cluster used Solana ecosystem infrastructure for Drift exploit (Apr 2026, $285M). Separately, Lazarus laundered $3.2M stolen Solana assets (May 2025, attributed by ZachXBT Jun 2025, routed through Ethereum and Tornado Cash). No confirmed public on-chain attribution of a known DPRK wallet directly interacting with Marinade program accounts (MarBmsSgKXdrN1egZf5sqe1TMai9K1rChYNDJgjq7aD) within 30 days of assessment. However, as a $602M SOL staking venue, Marinade is a plausible passive-venue routing layer for DPRK fund movement (U4: adversarial venue use). Yellow advisory posture. This is NOT team contamination (F125 scope); DPRK team linkage unconfirmed. Tier-C: advisory only, no grade flip.
Sources #
- URLTRM Labs — Bybit hack, North Korean hackers, Solana DEX launderinghttps://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploitretrieved 2026-05-16
- Process-learnings -- Raydium DPRK wash-trading venue use (Drift Apr 2026)C:\Users\abdul\OneDrive\Desktop\Memory\Memory\RiskProduct\risk-dashboard\.research\protocols\process-learnings.md -- raydium entry, DPRK venue useretrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →