Known-threat-actor cluster has touched protocol

Orca's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Known-threat-actor cluster has touched protocol. Per U4 instruction: Lazarus Group (DPRK) is confirmed to have used Solana DEX infrastructure for laundering funds post-Bybit hack (February 2025, $1.5B). TRM Labs and ZachXBT documented 920+ laundering addresses and Solana DEX/Pump.fun routing. Orca is the second-largest Solana DEX by TVL ($254M) with permissionless pool creation — class-level evidence of adversarial-venue-use for Solana DEX ecosystem. No specific confirmed, publicly-attributed interaction of a named Lazarus cluster address with Orca contracts found in available public reports (Chainalysis, TRM, ZachXBT). Scored yellow per U4 (adversarial-venue-use basis; specific pool interaction not confirmed). This signal is a venue-use flag, NOT team contamination (dev-identity-analyst scope, F125).

Sources #

URL
Lazarus Group 920+ laundering addresses, Solana DEX use post-Bybit 2025https://controverity.com/2025/03/07/lazarus-group-suspected-in-solana-meme-coin-scams-for-money-laundering-after-bybit-hack/retrieved 2026-05-16
URL
CoinMarketCap — Lazarus Group Bybit hack and Solana meme coin scams (laundering via Solana DEX)https://coinmarketcap.com/academy/article/north-koreas-lazarus-group-linked-to-dollar14-billion-bybit-hack-and-solana-meme-coin-scamsretrieved 2026-05-16
URL
TRM Labs — Bybit hack, North Korean hackers, Solana DEX launderinghttps://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploitretrieved 2026-05-16
Curator note
U4 adversarial-venue-use scoring instructionU4 instruction: if DPRK/Lazarus used Orca pools as wash-trading/laundering venue, score F158 yellow (adversarial-venue-use; not team contamination). No specific Orca pool attribution in public sources found; class-level evidence sufficient for yellow.retrieved 2026-05-16

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol orca factor RD-F-158 score yellow collected_at 2026-05-16 02:39:16