Known-threat-actor cluster has touched protocol
Spiko's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
No confirmed Lazarus/DPRK wallet interaction with Spiko contracts identified in public sources. However: (1) $1.217B TVL in yield-bearing T-bill tokens is a high-value reconnaissance target; (2) Lazarus has demonstrated KYC bypass via false identity (Drift Apr 2026); (3) redemption flows represent liquid exit channels for stolen capital. Per §15 U4: passive venue use by DPRK attacker != team contamination; this is Cat 11 threat intelligence, not Cat 7 contamination. KYC whitelist provides friction but not complete barrier. Yellow reflects target-profile risk without positive evidence of current interaction. Requires curated TI feed for live monitoring.
Sources #
- URLNorth Korea DPRK crypto theft pattern 2025-2026DPRK Lazarus $6B crypto crime — Bybit $1.5B Feb 2025; Drift $285M Apr 2026 — pattern of targeting high-TVL protocols with KYC-bypass social engineeringretrieved 2026-05-16
- T-09 RD-F-158 signal specificationT-09 §4.10 RD-F-158: curated threat-actor cluster + on-chain scan required. Phase 2, Tier-C advisory. DPRK targeting pattern: Drift $285M Apr 2026 included KYC identity falsification.retrieved 2026-05-16
- Spiko clean incident record00-data-cache.json rekt.incidents: [] — no confirmed Spiko incident; 00-profile.md §10: no known incidentsretrieved 2026-05-16
Methodology #
Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.
See the full factor methodology and distribution across all protocols →