Known-threat-actor cluster has touched protocol

Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Known-threat-actor wallet cluster has touched protocol. Lazarus Group-affiliated laundering wallets routed approximately $74M through Sushi v2/v3 pools during the Bybit post-exploit laundering period (February 2025, per Allium.so analysis). Sushi ranked second among DEXs for laundering volume ($74M, behind PancakeSwap at $263M). This was passive routing through Sushi liquidity pools by aggregators — not a direct attack on Sushi, but the protocol was a confirmed interaction venue for known threat-actor wallets within the recent past. As of 2026-05-17, this is ~90 days past the most recent confirmed interaction, outside the signal's 30-day threshold. No confirmed active interaction today. Structural attractiveness as a launder venue persists given liquidity depth. Per U4 process-learning: this is F158 yellow, NOT F125 team contamination.

Sources #

URL
Bybit Hack: How the Lazarus Group Exploited DeFi Protocols to Launder $400M — Allium.soAllium.so — Bybit hack laundering; SushiSwap received $74M of Lazarus-attributed laundering flowsretrieved 2026-05-17

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol sushi factor RD-F-158 score yellow collected_at 2026-05-16 19:50:37