Sybil surge of identical-pattern transactions

Raydium's assessment for RD-F-097 — scored not_assessed on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Cat 6A precursor signal (v1-deferred). Raydium's permissionless pool creation was exploited in the Drift April 2026 DPRK attack: attackers used a 423-wallet fan-out to seed CVT fake token pools and wash-trade across 3 weeks to build artificial price history. This is a confirmed sybil-transaction-surge pattern directly using Raydium's permissionless infrastructure. The attack was aimed at Drift (using Raydium as venue), not at Raydium itself, but demonstrates the structural vector. Yellow because: (a) the attack class has been executed through Raydium within 30 days of assessment; (b) Raydium's permissionless pool creation means this vector is always structurally available; (c) no signal wiring exists to detect sybil-pool-seeding activity on Raydium. Current posture: no active sybil surge targeting Raydium itself identified.

Sources #

URL
$285M Gone in 12 Minutes — Crypto TimesDrift April 2026: 423-wallet fan-out used Raydium pools for CVT wash trading to build fake price history for Drift oracle manipulationretrieved 2026-04-29
URL
The Drift Protocol Hack — Chainalysis BlogChainalysis: Drift hack involved CVT seeded on Raydium with wash trading to anchor price at ~$1retrieved 2026-04-29
URL
North Korean Hackers Attack Drift Protocol — TRM LabsTRM Labs: North Korean hackers used Raydium as wash-trading venue in Drift Protocol $285M heistretrieved 2026-04-29

Methodology #

Detect multiple new EOAs submitting identical transaction patterns within a short window (sybil setup pattern).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol raydium factor RD-F-097 score not_assessed collected_at 2026-04-29 12:31:55