Known-threat-actor cluster has touched protocol

StakeWise v3's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No public attribution of Lazarus/DPRK-labeled wallet interaction with StakeWise v3 core contracts found (web search: zero protocol-specific results for 'StakeWise DPRK Lazarus'). StakeWise is a passive venue: a $795M ETH-staking LST is a plausible laundering target for post-exploit DPRK proceeds (ETH is the primary post-exploit conversion asset for Lazarus group per 2024-2026 public reporting). Per U4 rule (§15 of briefing): DPRK passive-venue risk does not contaminate Cat 7 team assessment. Scored yellow because: (1) no confirmed interaction; (2) no licensed feed clearance available in static dry run; (3) passive-venue structural risk at this TVL level is non-negligible.

Sources #

URL
Palo Alto Unit 42 — North Korean threat groups 2024 (general reference; no StakeWise mention)Web search result — 'StakeWise DPRK Lazarus North Korea' returns zero protocol-specific findings; confirms no public attributionretrieved 2026-05-16
Internal
Phase-2 briefing sec.15 U4: DPRK passive-venue != team contamination -> F158 yellow, do not contaminate Cat 7retrieved 2026-05-16

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stakewise factor RD-F-158 score yellow collected_at 2026-05-16 01:03:28