Known-threat-actor cluster has touched protocol
Sanctum's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
T-09 v1 phase 2 signal (Tier C — advisory only). No confirmed DPRK/Lazarus cluster direct interaction with Sanctum contracts identified in public sources. Drift exploit (April 2026, DPRK-attributed, $285M) used a Solana DEX aggregator (Jupiter per reports) for post-exploit swaps; Sanctum/Infinity not specifically named in Elliptic or TRM laundering-route analysis. Bybit (February 2025, $1.5B, Lazarus) funds routed through Solana broadly without Sanctum-specific interaction documented. Elevated background exposure: Sanctum is the largest Solana LST liquidity layer ($1.37B TVL) — all major high-TVL Solana protocols are passive potential drain venues for DPRK actors. Framing: any DPRK actor using Sanctum as a passive swap venue is adversarial-venue-use (F158, Cat 11), not dev-identity contamination (F125, Cat 7). Cannot confirm or deny without licensed Chainalysis/TRM Solana cluster feed.
Sources #
- URLThe Bybit Hack: Following North Korea's Largest Exploit — TRM LabsTRM Labs — Bybit hack $1.5B Lazarus Group; Solana broadly used in laundering routeretrieved 2026-05-04
- North Korean Hackers Attack Drift Protocol — TRM LabsTRM Labs — Drift Protocol $285M DPRK attribution; funds bridged to Ethereumretrieved 2026-05-04
- Drift Protocol exploited for $286 million — EllipticElliptic — Drift Protocol laundering: Solana DEX aggregator used; Sanctum not namedretrieved 2026-05-04
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →